Automatic DNSSEC signing workflow
Mark Andrews
marka at isc.org
Wed Jul 6 01:11:38 UTC 2016
In message <2274914.OQEsm7p8Dx at dan>, "Daniel A. Ramaley" writes:
> On 2016-07-05 at 15:26:31 Tony Finch wrote:
> > There is a third option:
> >
> > 3) Maintain zone files with a text editor, and use inline-signing mode
> > to get named to sign them.
> >
> > For option 3 you don't want an update-policy clause.
>
> OK, that's actually the behavior that i was trying to achieve. Earlier i
> tried commenting out the update-policy line and doing some testing and
> it didn't work. But then i discovered a permissions problem on some of
> the key files. Once i fixed the key files permissions, Bind started
> behaving exactly the way i'd like it to!
>
> Thanks again for the help! I've done enough testing now that i'm
> reasonably confident Bind is behaving the way we want it to, where we
> can maintain the zone files with a text editor, but let Bind manage the
> signing.
If you want to use a editor you can always use contrib/zone-edit.sh
which uses nsupdate to perform the actual updates after editing the
zone contents. The script transfers the current zone from the
server and strips out the most of the DNSSEC records prior to
editing. Really large changes need to be done in smaller chucks
but for day to day changes it should be not significantly different
from what is currently being done and you don't have to remember
to update the serial.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list