DNSSEC and dynamic update

Chris Buxton cbuxton at menandmice.com
Wed Jul 16 23:48:13 UTC 2008 

As long as named can find the zone's private key(s), it can update the  
RRSIG and NSEC records for you. I've tested this, and used it while  
leading training courses. This has been true since BIND 9.3, although  
my understanding is that 9.3 couldn't differentiate between the ZSK  
and KSK. I believe 9.4 has fixed this problem, but I haven't tested  
this part.

The trick is to put the private key file where named expects to find  
it. In Mark's example, the private key is in the same directory as the  
zone. IIRC, with older versions, the private file goes in the working  
directory.

Chris Buxton
Professional Services
Men & Mice


On Jul 16, 2008, at 4:37 PM, Chris Thompson wrote:

> On Jul 11 2008, Mark Andrews wrote:
>
>>> Also as a "NetReg" site we are heavily into dynamic dns update -  
>>> how,
>>> if at all, is that effected?
>>
>> 	For BIND 9.5 you need to freeze once a periodically to
>> 	re-sign records that have not been re-signed as part of the
>> 	update process.  BIND 9.6 will re-sign the zone as needed.
>> 	
>> 	The later works well.  I havn't had to manually sign my zones
>> 	for months.
>
> As I suppose we are all thinking about DNSSEC at the moment, it  
> would be
> useful to have some clarification about the interaction between DNSSEC
> and dynamic update. We have been using update operations  
> exclusively[*]
> on all our zones for some time now.
>
> [*] OK: there is is a backstop freeze-replace-thaw procedure for use  
> in
> emergencies as well...
>
> AFAICS there is no difference between 9.4.x and 9.5.x in this area:  
> one
> has to put the new RRSIG (and NSEC, in general?) records into one's  
> update
> requests; i.e. BIND cannot do any of the work for you. Have I got  
> this right?
> The "periodic freeze" would be to replace soon-to-expire RRSIGs?  
> although this
> could presumably be done via update operations as well.
>
> So, can we have a preview of what goodies BIND 9.6.x is going to  
> give us?
> As clearly it already exists on Mark's testbed :-)
>
> Maybe I should also ask: when will NSEC3 be supported by BIND's DNSSEC
> validation code?  Not so much because we want to use it (we are not
> paranoid about "enumeration") but because we expect it to be a  
> sticking
> point for many zones out there.
>
> -- 
> Chris Thompson
> Email: cet1 at cam.ac.uk

More information about the bind-users mailing list