advice wanted: key management for nsupdate/DNSSEC
Mark Andrews
Mark_Andrews at isc.org
Wed Mar 25 00:21:43 UTC 2009
In message <200903242339.n2ONd3X0021499 at edge.twig.com>, Richard Doty writes:
> Greetings,
>
> I am wondering how folks handle keys for zones that are going
> to be signed with nsupdate.
>
> It appears that named wants the zone signing keys to be in the
> location identified by the "directory" parameter, yes? Putting
> all keys in one directory seems like a scaling issue, besides which
> I believe that particular directory needs to be writable by named
> so it can create core files. I have to leave the keys online for
> nsupdate, but named doesn't need to modify them itself.
>
> It would be cool if the location of per-zone keys were a per-zone
> configuration parameter, but I can't find any suggestion of that
> in the code. Maybe I'm looking in the wrong place.
See key-directory which is a per zone directive.
>
> How do you manage your nsupdate keys?
>
> Thanks,
>
> Richard.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list