DNSSEC and dynamic update

[Chris Thompson]

On Jul 11 2008, Mark Andrews wrote:

>> Also as a "NetReg" site we are heavily into dynamic dns update - how,
>> if at all, is that effected?
>
>	For BIND 9.5 you need to freeze once a periodically to
>	re-sign records that have not been re-signed as part of the
>	update process.  BIND 9.6 will re-sign the zone as needed.
>	
>	The later works well.  I havn't had to manually sign my zones
>	for months.

As I suppose we are all thinking about DNSSEC at the moment, it would be
useful to have some clarification about the interaction between DNSSEC
and dynamic update. We have been using update operations exclusively[*] 
on all our zones for some time now. 

[*] OK: there is is a backstop freeze-replace-thaw procedure for use in 
emergencies as well...

AFAICS there is no difference between 9.4.x and 9.5.x in this area: one
has to put the new RRSIG (and NSEC, in general?) records into one's update
requests; i.e. BIND cannot do any of the work for you. Have I got this right?
The "periodic freeze" would be to replace soon-to-expire RRSIGs? although this
could presumably be done via update operations as well.

So, can we have a preview of what goodies BIND 9.6.x is going to give us?
As clearly it already exists on Mark's testbed :-)

Maybe I should also ask: when will NSEC3 be supported by BIND's DNSSEC 
validation code?  Not so much because we want to use it (we are not
paranoid about "enumeration") but because we expect it to be a sticking
point for many zones out there.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk