DNSSEC made simple, is this possible?

Howard Leadmon howard at leadmon.net
Wed Jan 11 16:50:01 UTC 2012 

 Thanks, I will head on over and take a look, sounds like something I should
be interested in.    Now if FreeBSD would just add 9.9 to the ports
collection, it would save me from having to build it by hand..  


---
Howard Leadmon 

> -----Original Message-----
> From: Michael Graff [mailto:mgraff at isc.org]
> Sent: Wednesday, January 11, 2012 10:48 AM
> To: Howard Leadmon
> Cc: bind-users at lists.isc.org
> Subject: Re: DNSSEC made simple, is this possible?
> 
> ISC is also, by pure luck, offering a web seminar on inline signing in
BIND 9.9
> today.  While the first one starts in 15 minutes as I write this message,
there
> are a total of three sessions today.
> 
> Head on over to http://www.isc.org/webinar to find out the times and
> information on how to join.
> 
> Sorry for my rather short answer before, but I wanted to check that this
was
> indeed a public presentation before I sent people to a customer-only one.
> 
> --Michael
> 
> On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote:
> 
> >
> > OK, in an attempt to start using DNSSEC over here, I suppose I bit
> > myself in the backside, and even spending some time using googlefu I
> > still haven't quite figured this all out.
> >
> > I am currently running the current BIND 9.8.1, and setup to support
> DNSSEC.
> > After reading around a bit, I saw that setting auto-dnssec in the
> > config would read in the keys and sign the zones automatically, this
> seemed in
> > theory to be perfect, so I configured it this way.   After that the
domains
> > were signed, and going to places like the verisign debugger showed my
> > domain was happily secured with DNSSEC.
> >
> > Then I go to make a change to my DNS file, whoa was I in for a shock,
> > as apparently BIND took my nice text file for DNS I have edited for
ages,
> and
> > converted it into a full signed zone.   Try and edit that file, and if
> > course it bitches about it no longer matching the .jnl file and drops
the
> > zone.    This sure makes it hard to update things, well the way I am
used to
> > doing it.
> >
> > So I guess my million dollar question is, I want to use DNSSEC (it's
> > actually working now), but I want to be able to edit my zone files the
> > way I always have for many years, and just have BIND sign the zones with
> the keys
> > and update as needed to keep DNS running smoothly.   Is there some easy
> way
> > to do this, some scripts someone has made, or some documentation to
> > walk me through accomplishing this?
> >
> > I can't believe there aren't a lot of others that have run DNS just as
> > I have for years and years, and just want a nice simple way to keep
using
> BIND
> > and implementing the new security for the domains I manage.   I have
> googled
> > till I have about turned blue, and maybe I am missing it, but I have
> > seen some very complex keymanagement systems and so forth, I have no
> > need for anything that complex, so figure I am missing the solution that
is
> hiding
> > someplace.   Any pointers??
> >
> >
> > ---
> > Howard Leadmon
> >
> >
> >
> > _______________________________________________
> > Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> > unsubscribe from this list
> >
> > bind-users mailing list
> > bind-users at lists.isc.org
> > https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list