[Opendnssec-user] NULL signing with 2.0?

Discussion:

Rick van Rein

2016-10-05 11:00:53 UTC

Hi,

How can I inform the 2.0 signer that I'd like to apply a NULL signing
algorithm?

Did I correctly understand that this is now supported -- so that we can
just update the SOA serial but otherwise pass zones through even when
they are not setup for signing?

-Rick

Berry A.W. van Halderen

2016-10-05 11:28:52 UTC

Permalink

Post by Rick van Rein
Hi,
How can I inform the 2.0 signer that I'd like to apply a NULL signing
algorithm?
Did I correctly understand that this is now supported -- so that we can
just update the SOA serial but otherwise pass zones through even when
they are not setup for signing?

Yes, now supported. It has been called passthrough.
Specify a policy which includes the element <Passthrough/> in it.
Although most elements bare little meaning then, the XML definition
unfortunately requires them to be present.

See:
https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-PassingzonesthroughOpenDNSSECunsigned

\Berry

Post by Rick van Rein
-Rick
_______________________________________________
Opendnssec-user mailing list
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

Yuri Schaeffer

2016-10-06 08:07:08 UTC

Permalink

Post by Berry A.W. van Halderen
Yes, now supported. It has been called passthrough.

Indeed, also note this is distinct from
https://wiki.opendnssec.org/pages/viewpage.action?pageId=10125376#HowdoI...?-StopusingDNSSECforazone
Where the enforcer gracefully retracts all keys ans sigs. The signer
will strip all dnssec related records from the input zone. Passthrough
will leave the input zone untouched.

In the signconf this can be achieved with omitting the <ZSK> and <KSK>
sections.

//Yuri