Dynamic update, DNSSEC, and refreshing signatures

Paco Hope paco at tovaris.com
Tue Oct 2 13:04:28 UTC 2001

I'm experimenting in a test lab with DNSSEC on dynamically updated zones. Here are some things that I think are true. Anyone disagree?

1. Once you start using dynamic update on a zone, you should always use dynamic update to update that zone. Because of the changing
journal files, it's a little dangerous to just go muck with the raw zone data in the zone file.

2. BIND will compute and create whatever NXT and SIG records are necessary when you dynamically add or delete things from a signed zone
(assuming it has the right keys available).

3. BIND never detects or renews expired signatures on records. Signatures can only be refreshed by running dnssec-signzone on the zone

My problem is that the signatures on my records expire periodically, but the signatures are in dynamically-updated zones.

In theory I can wait until the zone is quiescent, stop the server, sign the zone, and restart the server. If I sign the zone file, I am
in conflict with (1) above. What if the zone isn't quiescent? When I sign the text zone file I could conceivably lose an update that's
recorded only in the journal file. (Does dnssec-signzone understand journal files?)

If I stop the server while I sign the zone, my server is down for however long it takes to sign the zone. That's non-optimal.

What is the recommended practice for keeping record signatures up to date? I hope I'm not missing something obvious.

Paco Hope
Director of Product Development         P: 434.245.5300 x118
Tovaris: The Digital Identity Company   F: 434.245.5301
http://www.tovaris.com/                 paco at tovaris.com

More information about the bind-users mailing list