auto update signatures dnssec
Alan Clegg
aclegg at isc.org
Mon Dec 27 13:48:36 UTC 2010
On 12/27/2010 1:07 AM, fakessh wrote:
> good day and merry christmas.
Thanks, and to you as well.
> I just put in place guidelines in bind config to update the signatures
> dnssec
> I'm looking for options that require the least amount of maintenace that
> all updates of signatures are performed without any external intervention
>
> i quote my named conf
>
> zone "fakessh.eu" {
> type master;
> file "/var/named/fakessh.eu.hosts";
> auto-dnssec maintain;
> update-policy local;
> key-directory "/var/named/keyset-fakessh.eu";
> allow-transfer { 213.251.188.140;87.98.164.164;
> 195.234.42.1;94.23.59.30; };
> };
>
> is what the guidelines are good options
A bit more interesting is the command that you used to sign the zone.
When signatures reach 3/4 lifetime, the associated record is
automatically re-signed.
Additionally, when new keys are made available signatures will created
based on the timing meta-data in the keys..
Overall, the defaults seem to be "good enough" for nearly everyone.
AlanC
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20101227/3fcc0963/attachment.bin>
More information about the bind-users
mailing list