dnssec config sanity check

Paul B. Henson henson at acm.org
Thu Oct 6 01:30:56 UTC 2011

On Wed, Oct 05, 2011 at 12:22:58AM -0700, Stephane Bortzmeyer wrote:
> Not true. For every problem reported by the tool, I contacted the
> managers of the domain, both to report they have an issue and to ask
> them what system they were using. So, I'm pretty confident that
> OpenDNSSEC had no such issue.

Sorry then, that detail wasn't laid out in the paper...

Prior to the implementation of key timing metadata and the ability for
dnssec-signzone to automatically select what keys to use in bind 9.7, I
could see how a third party tool to manage rollover for you could be
useful. With it, the amount of wrapper to make it work in a simple
scenario isn't that big. Assuming my selection of timings isn't broken,
I'm reasonably confident our dnssec rollovers will procede smoothly
without issues, and I'd rather use a little bit of custom local glue
that fits perfectly into our existing deployment rather than try to bend
a complicated tool to our will or change our deployment to match its
idea of how things should work.

Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768

More information about the bind-users mailing list