key rollover with BIND 9.9
Lawrence K. Chen, P.Eng.
lkchen at ksu.edu
Sat Jan 26 20:10:00 UTC 2013
----- Original Message -----
> What are other people using to automate key rollovers with 9.9?
I use cron to generate new ZSKs at regular intervals (1st of every 3rd month, with a 10 day window.) and do periodic resigns (every payday, and rely on the tools to handle the rollover correctly. Though my crontab formula breaks in 2016, because 2015 will have 53 weeks.)
The only time the tools balked, was when I switched from NSEC to NSEC3.... But, that was back with 9.7 and before I knew about the problem with wildcards and NSEC3, where upgrading to 9.9 was needed. Instead we got rid of the wildcard.
The wildcard exists only in the external view, because we didn't want the names of internal hosts exposed...but users kept sending mail with the internal host name....so we put a wildcard MX in the external view. But, now we don't allow them to send mail out with an internal host name. Which reminds me....I'm not getting emails from our F5 anymore, because I'm guessing the postfix settings got reset after the upgrade so its not using its outside name anymore.
Yup..../etc/postfix/canonical isn't saved in the ucs. Plus it doesn't autostart after an upgrade either :)
--
Who: Lawrence K. Chen, P.Eng. - W0LKC - Senior Unix Systems Administrator
For: Enterprise Server Technologies (EST) -- & SafeZone Ally
Snail: Computing and Telecommunications Services (CTS)
Kansas State University, 109 East Stadium, Manhattan, KS 66506-3102
Phone: (785) 532-4916 - Fax: (785) 532-3515 - Email: lkchen at ksu.edu
Web: http://www-personal.ksu.edu/~lkchen - Where: 11 Hale Library
More information about the bind-users
mailing list