ddns/dhcpd/sig0

[Bob Miller]

A good day to you all;
I recently decided to wrap my head a little tighter around dnssec.  In
the past I have successfully set up a master/slave/dhcp server all using
tsig keys.  
This time I set up bind9 with sig0 keys.  Turned out to be not that
painful - the real slow down was in searching for some kind of special
configuration for the slave server.  However, I configured the slave as
normal and only enabled dnssec, then it went and pulled a record from
the master which included a key record - so it seems nothing special for
the slave is required.
My question is about dhcpd, and how/if I can make it fit into the sig0
scheme I set up with bind9.  I have found a few articles that make it
seem as though dhcpd uses nsupdate to change records in bind's zone
files.  grep'ing for nsupdate in the dhcp source code does answer in the
dhcpd.c and dhpcd.h files, which indicates to me that dhcpd might be
able to use nsupdate.  I have also found a few manpages for nsupdate
that indicate that in recent versions sig0 is supported.  one or two
articles talk about letting the dhclient do the nsupdate instead of the
server (not very desirable to me).  a reasonably recent mailing list
post indicates that while sig0 is appropriate for bind9, tsig is still
required by that poster for dhcpd.  And I read one post from dec 2010
that stated dhcpd probably doesn't support sig0.
I wonder if someone might clarify for me, or point me at the appropriate
documentation, how/if one might configure the dhcp server to do ddns
updates using the sig0 key instead of having to generate and use tsig
keys.
Thank you for any thoughts...
-- 
Bob Miller
334-7117/660-5315
http://computerisms.ca
bob at computerisms.ca
Network, Internet, Server,
and Open Source Solutions