DNSSEC, do not allow zones without unassigned policy
According to initial design, a zone need not have a DNSSEC policy assigned:
keymgr zone add example.com policy none
The signing keys for this kind of zones must be generated manually. However, the policy also defines signature lifetimes, NSEC config, etc..
Possible solution is to add a policy paramter to disable automatic key generation and disallow zones without a policy:
keymgr policy add manual generate-keys initial-only
keymgr zone add example.com policy manual
The generate-keys
policy parameter can be true
, false
, or initial-only
.