Adding first DNSKEY record with update (9.6.0 vs 9.6.1)

Chris Thompson cet1 at cam.ac.uk
Wed Jul 15 14:33:35 UTC 2009


On Jul 15 2009, Mark Andrews wrote:

>In message <Prayer.1.3.1.0907141701530.27401 at hermes-2.csi.cam.ac.uk>,
>Chris Thompson writes:
>> In BIND 9.6.0 one could take an unsigned zone and add an initial
>> KSK and ZSK to it using nsupdate (and if the right files were in the
>> key directory, it would sign everything correctly). In BIND 9.6.1
>> this no longer works: it returns REFUSED. It's unclear to me whether
>> this change was intended - if so I can't work out which entry in the
>> CHANGES file it corresponds to.
>
>2530.   [bug]           named failed to reject insecure to secure transitions
>                        via UPDATE. [RT #19101]
>
>The functionality was supposed to be conditionally available
>when it is complete it will be available in a default build.

Thank you. Also Shumon Huque pointed out in private e-mail that this
has recently been discussed on bind-users in the thread "DNSKEY dynamic
update: unexpected change 9.6.0-P1 -> 9.6.1". It was careless of me 
not to have checked that.

Luckily my current plans for transitioning "real" zones from unsigned
to signed involve freezing, signing with dnssec-signzone, and then
thawing.

-- 
Chris Thompson
Email: cet1 at cam.ac.uk




More information about the bind-users mailing list