Setup a DNSSEC with my own public and private key
Jim Reid
jim at rfc1035.com
Fri Jun 25 18:26:09 UTC 2004
>>>>> "Manuel" == Manuel Gil Perez <manuel at dif.um.es> writes:
Manuel> I am the UMU-PKIv6 administrator
Manuel> (http://pki.umu.euro6ix.org) and I would like use it to
Manuel> enroll my DNS server. Currently, the PKI publish
Manuel> certificates and CRLs in a DNS (BIND 9.2.1) through the
Manuel> TSIG mechanism but I would like to update to BIND 9.3.0
Manuel> for using SIG(0), it is most sure. For this, I would like
Manuel> to setup the DNS with my own keys.
I don't understand. Why should it matter what the value of the key is
for some SIG(0) signed transaction? All you seem to be doing here is
authenticating the source of a dynamic update. I can't see why
anything should need to know or even care about the actual value of
the SIG(0) key that was used or how that could make a difference.
Presumably you'll be doing "nsupdate -k ...." to generate the SIG(0)
signed dynamic updates, so the only things that would need to know
about the actual keys are the things which generate and validate those
"signatures", ie the nsupdate client and the name server.
BTW you might also want to check out the CERT record and publish your
certificates in the DNS. Though this might not be sensible unless they
were stored in a DNSSEC-signed zone.
More information about the bind-users
mailing list