Bind 9.9.0b2 inline signing...
Spain, Dr. Jeffry A.
spainj at countryday.net
Wed Nov 23 20:42:01 UTC 2011
> Now, you can *also* turn on DDNS and use nsupdate on an inline-signing zone... but, if you're going to be using DDNS anyway, then I'm unclear what operational need is being served by separating the data. With or without inline-singing, your master file will be overwritten, and you'll have to concern yourself with freezing and thawing... and *with* inline-signing, there are more moving parts. So, I'd probably just use DDNS, turn off inline-signing, and let the zone take care of itself.
Thank you for your detailed response, Evan. Here's my operational plan. First of all we are a small organization with a few DNS zones that we manage for ourselves. I have also grown accustomed to using nsupdate -- the changes to the zone files are few and infrequent. From time to time I want to review the current state of the zone files. I have been accustomed with v9.8 to taking a copy of a signed zone file and stripping out the DNSSEC-related records in a text editor for easy review. I have been using dnsviz.net to verify periodically that DNSSEC is operating properly. Now in v9.9, I can eliminate this somewhat tedious step with my text editor because with inline signing, there is always an unsigned zone file available to me. If I am in a hurry to do my review after making an update, I can use "rndc sync myzone". Similarly in my nightly backup cron job, I can now backup both the signed and unsigned zone files after "rndc freeze myzone" to make sure they have incorporated the latest changes. I'm assuming that "rndc freeze myzone" freezes both the signed and unsigned zone files. I'm not worried about the freezing and thawing -- my cron job has been doing that with v9.8 with no apparent problems. I am also not worried about the increased number of moving parts -- I think it is reasonable to rely upon ISC to get this all working correctly. In v9.9.0b2, there is a problem with "rndc freeze" (reported earlier as [ISC-Bugs #26632]) so I will continue to test this with subsequent versions. Thanks again. Jeff.
Jeffry A. Spain
Network Administrator
Cincinnati Country Day School
More information about the bind-users
mailing list