[Opendnssec-develop] Passing through signed zones

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Jun 13 14:43:27 UTC 2013


> We have this issue for passing through unsigned zones:

You must mean "for passing zones without adding signatures".
The zone might already be signed of course.

> The user should configure in the zonelist.xml if a zone should be passed
> through by using a special name:
>    <Policy>passthrough</Policy>

I assume this is a user-picked name that suggests to them what they mean, but that the name is not, as Jakob assumed from this text, in any way special.

I assume the real configuration would come down to setting no cryptographic configuration, or explicitly selecting a null or passthrough mechanism for signing/keying?

> Con:

 - Temporary passthrough signatures, such as during a zone migration between vendors, could end up requiring a change of signing policy.  You might not be prepared to support that.

> What do you think?

I think it's wonderful that this is being added.  I've missed it for a long time.


More information about the Opendnssec-develop mailing list