DNSSEC Signing & Key Questions
Tony Finch
dot at dotat.at
Tue Oct 4 19:37:44 UTC 2011
McConville, Kevin <kmcconville at albany.edu> wrote:
>
> 1) Is there any way to have the zsk be auto-generated based upon the
> inactive date listed in the zsk meta-data?
Not yet, though I believe this feature is on the wish list.
> 2) With a static zone, are the update-policy local and auto-dnssec
> maintain options invalid/don't work? From the docs, they look like they
> are only for automation of dynamic zones?
Correct.
> 3) Are there any ways to automate zone signing and zsk
> generation/roll-over with a totally static zone environment?
You can wait for BIND 9.9 and its inline-signing feature. Alternatively,
create a separate live dynamic zone and use something like my nsdiff
script to feed changes from your static zone file into it.
http://www-uxsup.csx.cam.ac.uk/~fanf2/hermes/conf/bind/bin/nsdiff
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Fair Isle, Faeroes: Southwest 6 to gale 8, decreasing 5 or 6 later. High,
becoming very rough. Rain or squally showers. Moderate or good, occasionally
poor.
More information about the bind-users
mailing list