dnssec config sanity check
Stephane Bortzmeyer
bortzmeyer at nic.fr
Tue Oct 4 06:45:16 UTC 2011
On Mon, Oct 03, 2011 at 05:32:18PM -0700,
Paul B. Henson <henson at acm.org> wrote
a message of 59 lines which said:
> Our zone data is maintained in a revision control repository; when
> changes are made there is a process that generates a bind format
> zone file from the data, checks it for syntax errors, compiles, and
> then signs it, at the end reloading the zone into bind with rndc.
Experience of DNSSEC deployment (see my paper at SATIN
<http://conferences.npl.co.uk/satin/papers/satin2011-Bortzmeyer.pdf>)
shows that custom programs have many timing bugs. Many things can go
wrong Why not using an existing program such as OpenDNSSEC ?
More information about the bind-users
mailing list