bind autosign - DS distribution
Mark Andrews
marka at isc.org
Thu Dec 9 22:41:30 UTC 2010
In message <20101209222644.GA2225 at fantomas.sk>, Matus UHLAR - fantomas writes:
> > In message <20101209220716.GA2066 at fantomas.sk>, Matus UHLAR - fantomas writ
> es:
> > > pardon my ignorance if this has been discussed (haven't notice), but
> > > if BIND is configured to automatically sign dynamic zones, does it
> > > distribute DS records to parent zones somehow? and if not, what are ways
> to
> > > do that?
>
> On 10.12.10 09:15, Mark Andrews wrote:
> > This is IETF dnsext/dnsop fodder.
> >
> > The simple way would be to just record a TSIG key in the child zones
> > config to update the parent zone and use signed UPDATE messages.
> > Unfortunately this has run into layer 9 issues.
>
> maybe some alternative of NOTIFY mechanism?
>
> However that's apparently why I missed it...
> I think I'll try with opendnssec. I even don't like the automatic mechanism
> much because of bulk updates which I do quite often.
>
> Is it possible(planned) for bind to sign slave zone?
The master signs the zone. The slaves just serve it.
> And, are incremental updates possible with dnssec?
Yes. You just send the signature and nsec/nsec3 changes as well as the
data changes themselves.
> I'm thinking about hidden master bind loading (un)signed zones and
> providing axfr/ixfr to our public servers
DNSSEC works with hidden masters.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list