DNSSEC made simple, is this possible?

Michael Graff mgraff at isc.org
Wed Jan 11 15:41:32 UTC 2012


You want BIND 9.9 (currently 9.9.0rc1) with inline signing.  This will do exactly what you want, I think.

--Michael

On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:

> 
> OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
> in the backside, and even spending some time using googlefu I still haven't
> quite figured this all out.
> 
> I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
> After reading around a bit, I saw that setting auto-dnssec in the config
> would read in the keys and sign the zones automatically, this seemed in
> theory to be perfect, so I configured it this way.   After that the domains
> were signed, and going to places like the verisign debugger showed my domain
> was happily secured with DNSSEC.  
> 
> Then I go to make a change to my DNS file, whoa was I in for a shock, as
> apparently BIND took my nice text file for DNS I have edited for ages, and
> converted it into a full signed zone.   Try and edit that file, and if
> course it bitches about it no longer matching the .jnl file and drops the
> zone.    This sure makes it hard to update things, well the way I am used to
> doing it.
> 
> So I guess my million dollar question is, I want to use DNSSEC (it's
> actually working now), but I want to be able to edit my zone files the way I
> always have for many years, and just have BIND sign the zones with the keys
> and update as needed to keep DNS running smoothly.   Is there some easy way
> to do this, some scripts someone has made, or some documentation to walk me
> through accomplishing this?
> 
> I can't believe there aren't a lot of others that have run DNS just as I
> have for years and years, and just want a nice simple way to keep using BIND
> and implementing the new security for the domains I manage.   I have googled
> till I have about turned blue, and maybe I am missing it, but I have seen
> some very complex keymanagement systems and so forth, I have no need for
> anything that complex, so figure I am missing the solution that is hiding
> someplace.   Any pointers??
> 
> 
> ---
> Howard Leadmon 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list