OT: Bind 9.9.0B1 Inline-Signing Question
Adam Tkac
atkac at redhat.com
Fri Nov 11 10:24:53 UTC 2011
On 11/10/2011 11:16 PM, Evan Hunt wrote:
>> I know that this isn't the forum for betas
> Sure it is. :)
>
>> We have been testing with the alphas and now with the beta. What we are
>> seeing is that whenever named starts, it initially creates the signed
>> static zone file, but never really finishes.
> What do you mean by "never really finishes"?
>
> What are the options that are set for the static zone? You should have
> these:
>
> auto-dnssec maintain;
> inline-signing yes;
> key-directory "<dir>";
>
> ...with <dir> set to the location of the DNSSEC signing keys for your
> zone, including at least one KSK and one ZSK, both of which are set to
> be published and active.
>
Ah, this was missing bit in my configuration, thanks for it :)
I have just one question, what should inline-zone admin do? I assume
that named automatically regenerates & removes expired RRSIGs so is it
sufficient to put new KSK and ZSK to the key-directory when needed and
revoke older ones? Thanks for your answer in advance.
Regards, Adam
More information about the bind-users
mailing list