DNSSEC and dynamic update
Chris Buxton
cbuxton at menandmice.com
Wed Jul 16 23:48:13 UTC 2008
As long as named can find the zone's private key(s), it can update the
RRSIG and NSEC records for you. I've tested this, and used it while
leading training courses. This has been true since BIND 9.3, although
my understanding is that 9.3 couldn't differentiate between the ZSK
and KSK. I believe 9.4 has fixed this problem, but I haven't tested
this part.
The trick is to put the private key file where named expects to find
it. In Mark's example, the private key is in the same directory as the
zone. IIRC, with older versions, the private file goes in the working
directory.
Chris Buxton
Professional Services
Men & Mice
On Jul 16, 2008, at 4:37 PM, Chris Thompson wrote:
> On Jul 11 2008, Mark Andrews wrote:
>
>>> Also as a "NetReg" site we are heavily into dynamic dns update -
>>> how,
>>> if at all, is that effected?
>>
>> For BIND 9.5 you need to freeze once a periodically to
>> re-sign records that have not been re-signed as part of the
>> update process. BIND 9.6 will re-sign the zone as needed.
>>
>> The later works well. I havn't had to manually sign my zones
>> for months.
>
> As I suppose we are all thinking about DNSSEC at the moment, it
> would be
> useful to have some clarification about the interaction between DNSSEC
> and dynamic update. We have been using update operations
> exclusively[*]
> on all our zones for some time now.
>
> [*] OK: there is is a backstop freeze-replace-thaw procedure for use
> in
> emergencies as well...
>
> AFAICS there is no difference between 9.4.x and 9.5.x in this area:
> one
> has to put the new RRSIG (and NSEC, in general?) records into one's
> update
> requests; i.e. BIND cannot do any of the work for you. Have I got
> this right?
> The "periodic freeze" would be to replace soon-to-expire RRSIGs?
> although this
> could presumably be done via update operations as well.
>
> So, can we have a preview of what goodies BIND 9.6.x is going to
> give us?
> As clearly it already exists on Mark's testbed :-)
>
> Maybe I should also ask: when will NSEC3 be supported by BIND's DNSSEC
> validation code? Not so much because we want to use it (we are not
> paranoid about "enumeration") but because we expect it to be a
> sticking
> point for many zones out there.
>
> --
> Chris Thompson
> Email: cet1 at cam.ac.uk
More information about the bind-users
mailing list