Dynamic Update Zones and DNSSEC
Mark.Andrews at nominum.com
Mark.Andrews at nominum.com
Thu Feb 1 00:12:10 UTC 2001
>
> On Wed, 31 Jan 2001, Andreas Gustafsson wrote:
>
> > > I have a signed dynamic update zone (which I can actually update and see
> > > signed changes to the data and SOA) which has some sets in need of new
> > > signatures (i.e., they have expired). How do I poke BIND 9 to create ne
> w
> > > signatures over data I haven't been updating?
> >
> > This is an interesting problem which RFC3007 fails to address.
>
> I agree that it's an interesting problem, but don't think RFC 3007 should
> have addressed it. RFC 3007 addresses performing dynamic updates
> securely, not performing dynamic updates of secure zones. Yes, it
> specifies that the server should generate signatures (so they fit into the
> zone), but it would be out of the scope of the document to describe
> resigning policies. This should probably be a new draft - once someone
> figures out what the right way to do it is. Should everything just be
> resigned, and if so, how often?
>
> Brian
>
>
I don't think this even requires a draft. The zones need to be
periodically signed. Whether the server does it or it is
performed offline is a policy decision.
Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews at nominum.com
More information about the bind-users
mailing list