dnssec config sanity check
bortzmeyer at nic.fr
Tue Oct 4 06:45:16 UTC 2011
On Mon, Oct 03, 2011 at 05:32:18PM -0700,
Paul B. Henson <henson at acm.org> wrote
a message of 59 lines which said:
> Our zone data is maintained in a revision control repository; when
> changes are made there is a process that generates a bind format
> zone file from the data, checks it for syntax errors, compiles, and
> then signs it, at the end reloading the zone into bind with rndc.
Experience of DNSSEC deployment (see my paper at SATIN
shows that custom programs have many timing bugs. Many things can go
wrong Why not using an existing program such as OpenDNSSEC ?
More information about the bind-users