DNSSEC made simple, is this possible?

Michael Graff mgraff at isc.org
Wed Jan 11 15:48:05 UTC 2012


ISC is also, by pure luck, offering a web seminar on inline signing in BIND 9.9 today.  While the first one starts in 15 minutes as I write this message, there are a total of three sessions today.

Head on over to http://www.isc.org/webinar to find out the times and information on how to join.

Sorry for my rather short answer before, but I wanted to check that this was indeed a public presentation before I sent people to a customer-only one.

--Michael

On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:

> 
> OK, in an attempt to start using DNSSEC over here, I suppose I bit myself
> in the backside, and even spending some time using googlefu I still haven't
> quite figured this all out.
> 
> I am currently running the current BIND 9.8.1, and setup to support DNSSEC.
> After reading around a bit, I saw that setting auto-dnssec in the config
> would read in the keys and sign the zones automatically, this seemed in
> theory to be perfect, so I configured it this way.   After that the domains
> were signed, and going to places like the verisign debugger showed my domain
> was happily secured with DNSSEC.  
> 
> Then I go to make a change to my DNS file, whoa was I in for a shock, as
> apparently BIND took my nice text file for DNS I have edited for ages, and
> converted it into a full signed zone.   Try and edit that file, and if
> course it bitches about it no longer matching the .jnl file and drops the
> zone.    This sure makes it hard to update things, well the way I am used to
> doing it.
> 
> So I guess my million dollar question is, I want to use DNSSEC (it's
> actually working now), but I want to be able to edit my zone files the way I
> always have for many years, and just have BIND sign the zones with the keys
> and update as needed to keep DNS running smoothly.   Is there some easy way
> to do this, some scripts someone has made, or some documentation to walk me
> through accomplishing this?
> 
> I can't believe there aren't a lot of others that have run DNS just as I
> have for years and years, and just want a nice simple way to keep using BIND
> and implementing the new security for the domains I manage.   I have googled
> till I have about turned blue, and maybe I am missing it, but I have seen
> some very complex keymanagement systems and so forth, I have no need for
> anything that complex, so figure I am missing the solution that is hiding
> someplace.   Any pointers??
> 
> 
> ---
> Howard Leadmon 
> 
> 
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users




More information about the bind-users mailing list