choosing key for auto-signing

Mark Andrews Mark_Andrews at isc.org
Wed May 20 04:56:20 UTC 2009


In message <200905200158.n4K1wMZV006680 at edge.twig.com>, Richard Doty writes:
> I am running bind 9.5.0, and have a dynamic zone with two ZSK set
> up in the pre-publish manner - one ZSK is "published" but not used
> for signing, one ZSK is "active" and signs all records.  That's
> how I use them when I do a full re-sign with dnssec-signzone.  But
> when I make a dynamic update to the zone, bind signs the updated
> record with both ZSKs.  That makes sense because bind has no way
> to tell the two ZSKs apart.

	Firstly I would just upgrade to BIND 9.6 so you don't need
	to use dnssec-signzone to re-sign the zone.

	Named will re-sign using the private keys it has available
	to it.  Just keep the private key where named can't see it
	until you wish it to be used.  Then move it into place when
	you wish it to start signing and then move the existing
	private key out of the way.  Note the order of operations
	is important otherwise there will be a time when named has
	no private keys available to re-sign.

	We are looking at adding start and stop dates to keys so
	this will be less complicated in future.

	Mark
 
> So I guess my question is - does pre-publish work with dynamic update?
> If so, how is it configured?
> 
> Thanks,
> 
> Richard.
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org



More information about the bind-users mailing list