auto update signatures dnssec

Alan Clegg aclegg at
Mon Dec 27 13:48:36 UTC 2010

On 12/27/2010 1:07 AM, fakessh wrote:

> good day and merry christmas.

Thanks, and to you as well.

> I just put in place guidelines in bind config to update the signatures
> dnssec
> I'm looking for options that require the least amount of maintenace that
> all updates of signatures are performed without any external intervention
> i quote my named conf
> zone "" {
>         type master;
>         file "/var/named/";
>         auto-dnssec maintain;
>         update-policy local;
>         key-directory "/var/named/";
>         allow-transfer {;;
>;; };
>         };
> is what the guidelines are good options

A bit more interesting is the command that you used to sign the zone.
When signatures reach 3/4 lifetime, the associated record is
automatically re-signed.

Additionally, when new keys are made available signatures will created
based on the timing meta-data in the keys..

Overall, the defaults seem to be "good enough" for nearly everyone.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the bind-users mailing list