lists.isc.org rDNS failed, DNSSEC?
Evan Hunt
each at isc.org
Sat Feb 25 01:00:52 UTC 2012
On Fri, Feb 24, 2012 at 04:48:14AM +0000, Vinny_Abello at Dell.com wrote:
> I kind of had the same thought... If ISC had a DNS outage due to expired
> signatures of a zone, what chance do I have in successfully deploying and
> maintaining DNSSEC for my zones?
Somewhat ironically, the part of ISC responsible for maintaining those
particular reverse zones isn't using the latest ISC software to do
it. DNSSEC has gotten *much* easier over the past few years. (I have
half a dozen signed domains and I haven't had to think about them since
I set the server up last April--it just works.)
But ISC was one of the first adopters of DNSSEC, and at that time
'dnssec-signzone' was the only tool available. We're still using
some of the scripts that were written at that time, because the world
is full of broken things to fix, taking priority over things that mostly
work. However, I believe the Ops department is planning to switch over to
BIND 9.9 fairly soon, in order to take advantage of the new inline-signing
feature (which in fact was largely developed at their behest).
https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list