Open parazyd opened 5 years ago
After introduction of inline-signing ( https://kb.isc.org/docs/aa-00626 ) is there still something blocking usage of dnssec with gitzone what i could be overlooking ?
dnssec-key generation sounds like only thing what needs to be managed externaly / implemented in gitzone.
Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen
Isn't this cli utility doing the keygen? https://linux.die.net/man/8/dnssec-keygen
Yep that's correct, one possible solution to "support" dnssec would be to leverage dnssec-keygen to generate keys if they are missing for zones where dnssec is enabled, the question is should gitzone handle it or not.
I think the best is to have gitzone list the zones:
if such a list is easy to parse via scripts, then generation can be further scripted and an example can be included in the docs.
I guess this is the best way to make the function transparent and actions confirmed by administrators.
This issue is looking for a contributor BTW, my knowledge or Perl is very scarce.
We should think about adding DNSSEC and zone signing support.