DNSSEC and dynamic update

Mark Andrews Mark_Andrews at isc.org
Thu Jul 17 01:07:08 UTC 2008


> On Jul 11 2008, Mark Andrews wrote:
> 
> >> Also as a "NetReg" site we are heavily into dynamic dns update - how,
> >> if at all, is that effected?
> >
> >	For BIND 9.5 you need to freeze once a periodically to
> >	re-sign records that have not been re-signed as part of the
> >	update process.  BIND 9.6 will re-sign the zone as needed.
> >	
> >	The later works well.  I havn't had to manually sign my zones
> >	for months.
> 
> As I suppose we are all thinking about DNSSEC at the moment, it would be
> useful to have some clarification about the interaction between DNSSEC
> and dynamic update. We have been using update operations exclusively[*] 
> on all our zones for some time now. 
> 
> [*] OK: there is is a backstop freeze-replace-thaw procedure for use in 
> emergencies as well...
> 
> AFAICS there is no difference between 9.4.x and 9.5.x in this area: one
> has to put the new RRSIG (and NSEC, in general?) records into one's update
> requests; i.e. BIND cannot do any of the work for you. Have I got this right?
> The "periodic freeze" would be to replace soon-to-expire RRSIGs? although thi
> s
> could presumably be done via update operations as well.

	We don't accept RRSIG/NSEC updates (9.6 will accept
	RRSIG(DNSKEY) for offline KSKs, it will also block NSEC3
	changes).  Named will update the NSEC and RRSIG records of
	any RRset affected by the change.  This has not changed
	since BIND 9.0.  BIND 9.6. will also update NSEC3 records.

	What versions prior to BIND 9.6 don't do is re-sign RRset
	that have not been changed by a update request.  named in
	BIND 9.6 will take care of these.

	Prior to BIND 9.6 you need to freeze/sign/replace/thaw on
	a regular basis.
 
> So, can we have a preview of what goodies BIND 9.6.x is going to give us?
> As clearly it already exists on Mark's testbed :-)

	Aiming for a alpha before IETF in Dublin (starts on the 27th).
 
> Maybe I should also ask: when will NSEC3 be supported by BIND's DNSSEC 
> validation code?  Not so much because we want to use it (we are not
> paranoid about "enumeration") but because we expect it to be a sticking
> point for many zones out there.

	BIND 9.6.

> -- 
> Chris Thompson
> Email: cet1 at cam.ac.uk
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org


More information about the bind-users mailing list