Automated DNSSEC (command line)

Mark Andrews marka at
Sat May 29 00:52:44 UTC 2010

In message <20100529001832.GB4692 at>, Michelle Konzack writes:
> Hello Mark,
> Am 2010-05-29 09:06:40, hacktest Du folgendes herunter:
> > You can just let named re-sign the zone for you.  Treat the zones
> > as dynamic and named from BIND 9.6 onwards will maintain the
> > signatures for you.
> What do you mean with "Treat the zones as dynamic"?
> Is there a special option?

Add allow-update or update-policy clause.

BIND 9.7.0 supports "update-policy local;" and "nsupdate -l" talks via it.
> > Use nsupdate to change the contents of the zone.
> OK. I have to change my  scripts  to  use  "nsupdate",  but  as  I  have
> understand it right, you can  not  add  NEW  hosts  to  a  zone  through
> nsupdate (has never worked) or has it changed now?

You make any change you want to a zone via nsupdate and this has
always been the case.  You just can't create or destroy the zone.
DHCP servers have been adding and deleting hosts for years using

> Thanks, Greetings and nice Day/Evening
>     Michelle Konzack
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list