Some dnssec-signzone questions
torinthiel at data.pl
Tue Feb 1 14:37:18 UTC 2011
I have three questions regarding dnssec-signzone:
To clarify things, I'm using BIND 9.7.2-P2.
First is about input file: you can specify on the command line either the
signed version of the zone, or the unsigned one.
What I'd like to do hovever, is to use both.
The unsigned zone is much more readable, and can contain $INCLUDE directives,
which makes modification easier.
But specifying the signed zone has added benefit of reusing existing
signatures, thus saving on computation time (not that I have a lot to save
on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed
zone, try to reuse RRSIG records as much as possible, taking them from
signed zone, and write the result.
Is this possible with dnssec-signzone? Other than writing a custom tool to
filter only NSEC/RRSIG records from .signed and appending this file to
Which might not be that hard, probably a simple sed script would do.
Another is about key management and -S option:
Guessing by what I've read in the man page -S should use key metadata to
decide when to include/exclude/use/revoke the key.
However, I've been unable to make it work. I have 2 KSK keys, one of them
set to revoke in the past, as dnssec-settime kindly tells me.
But, when I do dnssec-signzone -S on the unsigned file, I get error message:
dnssec-signzone: fatal: cannot find DNSKEY RRSIGs
and nothing is signed.
dnssec-signzone without -S can properly sign the zone, ignoring revokation
Then, I do dnssec-signzone -S on the signed file, which only retains old
signatures, also happily ignoring revokation time.
What am I doing wrong, why it fails to behave as I'd expect?
Third is about -N option:
a well established practice (although I don't know what was the origin) is
to set SOA serial number to eg 2011020101, which is current day and
two-digit of daily version. This has benefit of being almost as good as
putting unixtime of last modification, while being much more human-readable.
How difficult would it be to implement this for dnssec-signzone -N, using a
fourth format specifier?
More information about the bind-users