bind autosign - DS distribution
Matus UHLAR - fantomas
uhlar at fantomas.sk
Thu Dec 9 22:26:44 UTC 2010
> In message <20101209220716.GA2066 at fantomas.sk>, Matus UHLAR - fantomas writes:
> > pardon my ignorance if this has been discussed (haven't notice), but
> > if BIND is configured to automatically sign dynamic zones, does it
> > distribute DS records to parent zones somehow? and if not, what are ways to
> > do that?
On 10.12.10 09:15, Mark Andrews wrote:
> This is IETF dnsext/dnsop fodder.
>
> The simple way would be to just record a TSIG key in the child zones
> config to update the parent zone and use signed UPDATE messages.
> Unfortunately this has run into layer 9 issues.
maybe some alternative of NOTIFY mechanism?
However that's apparently why I missed it...
I think I'll try with opendnssec. I even don't like the automatic mechanism
much because of bulk updates which I do quite often.
Is it possible(planned) for bind to sign slave zone?
And, are incremental updates possible with dnssec?
I'm thinking about hidden master bind loading (un)signed zones and providing
axfr/ixfr to our public servers
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Despite the cost of living, have you noticed how popular it remains?
More information about the bind-users
mailing list