automatic resigning in 9.6.x

[Evan Hunt]

> What is a "dynamic zone" in this context?

In the case of master zones, it means the zone allows DDNS updates (e.g.,
from nsupdate).  So it either has an update-policy set, or an allow-update
ACL set to something other than "none".  (Incidentally, making it easier to
set up DDNS and, by extension, automatic re-signing, is a planned feature
for 9.7.)

BIND 9 has, I believe, always had some support for automatic signing in the
case of zone updates--at least as far back as 9.3, and I haven't looked at
anything earlier.  Basically, if you have a signed zone and you insert a
new record, that record will automatically have an RRSIG generated for it.

The enhancement in 9.6 is that signatures are also kept up to date on a
schedule.  By default, signatures are generated with a validity period of
30 days, and regenerated a quarter of the way through that time, i.e., after
seven and a half days.  These values can be configured with the
"sig-validity-interval" option, for details of which see the ARM.
Also see "sig-signing-nodes" and "sig-signing-signatures".

> I assume the "secure" means the zone file has been signed at least once?

That's correct.

There's some experimental code in bin/named/update.c, ifdeffed
out under the names ALLOW_INSECURE_TO_SECURE and ALLOW_SECURE_TO_INSECURE,
that allows you to make an unsigned zone sign itself if you insert a
DNSKEY RRset into it.

But when I say "experimental" I mean it: this is *not yet supported*.  It
may turn up as a feature in 9.7, though.

> Does the named user also need write access to the zone files to
> accomplish the resigning?

To the zone files, and to the directory they're in, so named can create
journal files.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.