What causes "'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone"

Unexpected configuration errors when starting or reconfiguring BIND:

When named is starting up after upgrading from an earlier version of BIND 9.16 or 9.18, named may reject a zone configuration that had previously been acceptable.

The error being logged will be one of:

'inline-signing yes;' must also be configured explicitly for zones using dnssec-policy without a configured 'allow-update' or 'update-policy'

'dnssec-policy;' requires dynamic DNS or inline-signing to be configured for the zone

This is a new check made to the configuration that was added to the BIND 9.16 and 9.18 branches in releases 9.16.33 and 9.18.7. It was noted specifically in the Release Notes as a feature change in these versions:

Zones using dnssec-policy now require dynamic DNS or inline-signing to be configured explicitly. [GL #3381]

How should you correct the configuration check failures?

For most configurations, all that you need to do is to add an additional option to the configuration of each zone that is logging the error message above:

This is the configuration option that previously was enabled by default for a zone using dnssec-policy without dynamic DNS options.

Why did this happen?

Ideally we would not make a feature change during the lifetime of a major stable branch that causes configuration files that were previously acceptable to no longer load when starting or reconfiguring BIND. We did so in order to prevent zone data loss, if administrators later configured with allow-update or update-policy a primary zone that had previously defaulted to inline-signing yes;.

The risk was that administrators were not aware that their zone (with an active dnssec-policy) had been operating as an inline-signed zone when they made further configuration changes. Converting an inline-signed zone to one that allows dynamic updates can result in the zone's SOA serial number appearing to go backwards because named reverts to maintaining, signing and serving the unsigned zone file. With inline-signing enabled, named creates, maintains and serves a signed version of the zone based on changes received into the unsigned version, incrementing the signed zone version's SOA serial number as it does so.

From BIND 9.16.34 and 9.18.8 upwards, we have made the error condition more explicit, along with a link to this KB article that you are reading now (https://kb.isc.org/docs/dnssec-policy-requires-dynamic-dns-or-inline-signing).

We have also added more information to the Known Issues section of BIND release notes in order to draw administrator attention to this feature change.