Automatic DNSSEC signing workflow
Tony Finch
dot at dotat.at
Tue Jul 5 14:26:31 UTC 2016
Daniel A. Ramaley <daniel.ramaley at drake.edu> wrote:
>
> From the responses i received, it seems i completely misunderstood how
> automatic signing is supposed to work. If i'm now understanding
> correctly, there are 2 mutually exclusive ways to do things:
> 1) Maintain zone files with a text editor, and sign them manually.
> 2) Maintain zones with nsupdate, and let Bind sign them.
Option 2 is best when you have an update-policy clause. There is no need
for inline-signing in this case.
There is a third option:
3) Maintain zone files with a text editor, and use inline-signing mode to
get named to sign them.
For option 3 you don't want an update-policy clause.
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Dogger: Northwesterly 4 or 5, occasionally 6 in east. Slight or moderate.
Showers. Good.
More information about the bind-users
mailing list