DNSSEC support

[parazyd]

We should think about adding DNSSEC and zone signing support.

[teadur]

After introduction of inline-signing ( https://kb.isc.org/docs/aa-00626 ) is there still something blocking usage of dnssec with gitzone what i could be overlooking ?

dnssec-key generation sounds like only thing what needs to be managed externaly / implemented in gitzone.

[jaromil]

Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen

[teadur]

Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen

Yep that's correct, one possible solution to "support" dnssec would be to leverage dnssec-keygen to generate keys if they are missing for zones where dnssec is enabled, the question is should gitzone handle it or not.

[jaromil]

I think the best is to have gitzone list the zones:

1. those without dnssec
2. those with it and keys
3. those with dnssec but without keys in place

if such a list is easy to parse via scripts, then generation can be further scripted and an example can be included in the docs.

I guess this is the best way to make the function transparent and actions confirmed by administrators.

This issue is looking for a contributor BTW, my knowledge or Perl is very scarce.