automatic resigning in 9.6.x

[Evan Hunt]

> Ok...so to implement this in bind 9.4.2-P2, I see the directive
> sig-validity-interval in the ARM, if I set this to 1,
> edit zone.db.signed, add a new entry, increment the serial, rndc
> reload, what tells bind to resign the zone, and when?

Using a dynamic zone, and sending an update.

First of all, don't set sig-validity-interval, it defaults to a
perfectly good value already (30 days).

Second, make your zone dynamic by, for example, adding a zone ACL
"allow-update { localhost; };" (It's better to use a TSIG key, but
I'm keeping the instructions simple here.)

Third, in the zone definition in named.conf, add a "key-directory"
statement to tell named where to find the zone signing key--that is,
the K*.key and K*.private files.  (Note that you have to keep your
private key online for this to work; this may be considered risky for
a high security zone.)

Once that's all been done, you use "nsupdate" to add the new record.
For example:

# nsupdate
> server localhost 53
> zone example.com.
> update add newname.example.com. 3600 in a 10.0.0.1
> send

...creates an A record for "newname.example.com" with an address of
10.0.0.1 and a TTL of 3600.  And if the zone is signed and named has
access to the private key, it will have an RRSIG record added as well.

However, if you're using BIND 9.4, the RRSIG will have a lifetime of
30 days (or whatever sig-validity-interval is set to), and it will not be
kept updated automatically.  You'll have to re-sign the zone by hand on
schedule.  In 9.6, you can leave it alone and it'll take care of itself.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.