Dynamic Update Zones and DNSSEC

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Thu Feb 1 00:12:10 UTC 2001


> 
> On Wed, 31 Jan 2001, Andreas Gustafsson wrote:
> 
> > > I have a signed dynamic update zone (which I can actually update and see
> > > signed changes to the data and SOA) which has some sets in need of new
> > > signatures  (i.e., they have expired).  How do I poke BIND 9 to create ne
> w
> > > signatures over data I haven't been updating?
> >
> > This is an interesting problem which RFC3007 fails to address.
> 
> I agree that it's an interesting problem, but don't think RFC 3007 should
> have addressed it.  RFC 3007 addresses performing dynamic updates
> securely, not performing dynamic updates of secure zones.  Yes, it
> specifies that the server should generate signatures (so they fit into the
> zone), but it would be out of the scope of the document to describe
> resigning policies.  This should probably be a new draft - once someone
> figures out what the right way to do it is.  Should everything just be
> resigned, and if so, how often?
> 
> Brian
> 
> 
	I don't think this even requires a draft.  The zones need to be
	periodically signed.  Whether the server does it or it is
	performed offline is a policy decision.

	Mark
--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com


More information about the bind-users mailing list