dnssec config sanity check
Paul B. Henson
henson at acm.org
Thu Oct 6 01:30:56 UTC 2011
On Wed, Oct 05, 2011 at 12:22:58AM -0700, Stephane Bortzmeyer wrote:
> Not true. For every problem reported by the tool, I contacted the
> managers of the domain, both to report they have an issue and to ask
> them what system they were using. So, I'm pretty confident that
> OpenDNSSEC had no such issue.
Sorry then, that detail wasn't laid out in the paper...
Prior to the implementation of key timing metadata and the ability for
dnssec-signzone to automatically select what keys to use in bind 9.7, I
could see how a third party tool to manage rollover for you could be
useful. With it, the amount of wrapper to make it work in a simple
scenario isn't that big. Assuming my selection of timings isn't broken,
I'm reasonably confident our dnssec rollovers will procede smoothly
without issues, and I'd rather use a little bit of custom local glue
that fits perfectly into our existing deployment rather than try to bend
a complicated tool to our will or change our deployment to match its
idea of how things should work.
Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst | henson at csupomona.edu
California State Polytechnic University | Pomona CA 91768
More information about the bind-users