DNSSEC's sorted zone
Paul Wouters
paul at xelerance.com
Thu Jan 13 00:46:31 UTC 2011
On Thu, 13 Jan 2011, Mark Andrews wrote:
> dnssec-signzone uses multiple threads to sign the zone a node at a
> time. These work items finish in a non-deterministic manner leading
> to a different order in the resulting text file being produced.
> This is done after the zone was sorted to generate the NSEC records.
So post-processing with ldns-read-zone would allow one to see the actual
differences.
>> I'd recommend preprocessing the zone with ldns-read-zone, which also sorts
>> and canonicalises the zone. Later on, you can then also use this command
>> to seperate unsigned data from dnssec, and merge in data (eg updates)
>> from multiple zone versions while re-using previous RRSIGs
>
> Firstly there is no need to pre-sort the zone. If one want to
> canonicalises the zone named-checkzone will do that fine.
> dnssec-signzone will workout if it needs to regenerate signatures
> or preserve the existing signatures.
In the setup i described, you get a new unsigned zone and you need
to merge it with the signed zone, hence the pre-processing.
(this is requires for on offline signers, where the private ZSK is not
available)
Paul
More information about the bind-users
mailing list