dnssec subzone not signed question
jim
glass4545 at gmail.com
Wed Dec 22 20:51:37 UTC 2010
Greetings,
Thanks to all for the excellent information on the list and taking the time
to reply.
Upgrading server hardware, RedHat SELinux, bind, dhcp and going for dnssec
on these new machines.
Getting close but still some basic questions before going to a production
island of security.
Signed zone example.edu, seen the zone and inaddr.arpa grow as follows using
key size of 1024:
58,930 dns.example-dom
11,892,408 dns.example-dom.signed
3,191 dns.net-example
6,879,841 dns.net-example.signed
This was just for our static configurations, the size increase got me
worried about our dynamic dns zones for wireless and residence hall
machines. Have been running ddns and dhcp on same machine, master for the
ddns zones, i.e.
.wireless1.example.edu , .wireless2.example.edu ....
.building1.example.edu , .building2.example.edu ....
The master for example.edu is on one machine and a third machine is
secondary for these two.
Lots of ddns traffic on the wireless zones, not much on the hardwired
building zones.
Anyway, do not really need dnssec for these dynamic zones, at least not
right now.
Showing my ignorance, can I
Just not sign the dynamic subzones, wirelessN/buildingN.example.edu, even
though example.edu is signed?
Testing with dig, do not get SERVFAIL for the dynamic subzones, and do get
the RRSIG for signed example.edu queries.
Worried I am breaking something not signing the subzones under a signed main
zone and will not see it until going live?
example.edu is signed
subzone.example.edu is not signed
thanks!
jim
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101222/26a7b55e/attachment.html>
More information about the bind-users
mailing list