Upgrading from 9.6 to 9.7

Mark Andrews marka at isc.org
Mon Sep 6 23:57:25 UTC 2010

In message <A312010A27F14658B095B6523E39B920 at sb.litts.net>, "Timothe Litt" writ
> I've been running 9.6-ESV-R1 and 9.6.1-P3 with "-DALLOW_INSECURE_TO_SECURE
> -DALLOW_SECURE_TO_INSECURE" serving DNSSEC zones on several servers - all
> linux, some FC13, others on ARM embedded systems.

-DALLOW_INSECURE_TO_SECURE is always allowed.

-DALLOW_SECURE_TO_INSECURE is a named.conf option
	dnssec-secure-to-insecure <boolean>;
> Is there any documentation for what I need to do to convert from this
> interim dnssec auto-signing mechanism to the 9.7.1-P2 release?  

Just allow keys changes to become stable, then remove the
sig-signing-type records.

> Are there interoperability issues between these versions?


> To make life more interesting, I not only want to update all my servers, but
> also must move the master server to a new host - with selinux (fedora core
> 13).
> Is there any 'getting started' presentation (esp for DNSEC) on 9.7?  There
> was a "DNSSEC in (a few) minutes" presentation for bind, but I haven't seen
> an update for 97.  The ARM is great reference, but not easy to decipher for
> upgrade situations...

Read up on "rndc sign" and "auto-dnssec".  9.7 also introduced "managed-keys"
for setting up trusted keys which are using RFC 5011 management techniques.

> (I'd be happy to move this to dnssec-deployment if the concensus is that it
> belongs there.)
> Thanks.
> ---------------------------------------------------------
> This communication may not represent my employer's views,
> if any, on the matters discussed. 
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list