choosing key for auto-signing

Richard Doty rad at twig.com
Wed May 20 19:54:18 UTC 2009 

On Wed, 20 May 2009 14:56:20 +1000 Mark Andrews wrote:
> 
> In message <200905200158.n4K1wMZV006680 at edge.twig.com>, Richard Doty writes:
> > I am running bind 9.5.0, and have a dynamic zone with two ZSK set
> > up in the pre-publish manner - one ZSK is "published" but not used
> > for signing, one ZSK is "active" and signs all records.  That's
> > how I use them when I do a full re-sign with dnssec-signzone.  But
> > when I make a dynamic update to the zone, bind signs the updated
> > record with both ZSKs.  That makes sense because bind has no way
> > to tell the two ZSKs apart.
> 
> 	Firstly I would just upgrade to BIND 9.6 so you don't need
> 	to use dnssec-signzone to re-sign the zone.

So if I add a key, or remove a key, using dynamic update, BIND 9.6
re-signs the whole zone automatically?  (assuming the private key
is visible).  And removes signatures that do not match an existing key?

What I'm doing now is:

    freeze zone
    add new key
    use dnssec-signzone to sign with new key
    thaw zone

Very clumsy, but couldn't think of anything else.

> 
> 	Named will re-sign using the private keys it has available
> 	to it.  Just keep the private key where named can't see it
> 	until you wish it to be used.  Then move it into place when
> 	you wish it to start signing and then move the existing
> 	private key out of the way.  Note the order of operations
> 	is important otherwise there will be a time when named has
> 	no private keys available to re-sign.

Thanks for that.

> 	We are looking at adding start and stop dates to keys so
> 	this will be less complicated in future.
> 
> 	Mark
>  
> > So I guess my question is - does pre-publish work with dynamic update?
> > If so, how is it configured?
> > 
> > Thanks,
> > 
> > Richard.
> > _______________________________________________
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users
> -- 
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org
>

More information about the bind-users mailing list