auto-dnssec create

Daniel Ryšlink daniel.ryslink at dialtelecom.cz
Wed Jan 8 15:12:41 UTC 2014


alHello,

Browsing through the man page for named.conf, the directive auto-dnssec 
is stated to allow the following values:

auto-dnssec allow|maintain|create|off;

The "create" option caught my attention, because it indicated that bind 
could perform not only automatic roll-overs of prepared keys with the 
correct meta-data from a specified directory, but also create new ZSK 
and KSK keys as necessary.

After experimenting with this option, I found out that the latest BIND 
9.9.4 considers it invalid, and googling further revealed to me that the 
directive had the "to-be-implemented" status in 9.9.7, only to be 
scraped altogether later (I found a changelog item mentioning removal of 
all referenced to it, so I consider the man-page reference to be an 
omission).

Still, why was this highly useful option scraped? Was the reason effort 
to discourage bad practices of having the KSK key on the same machine 
that serves as the primary master?

Thank you in advance for any insights provided.

-- 
S pozdravem,
Daniel Ryšlink
System Administrator

Dial Telecom a. s.
Křižíkova 36a/237
186 00 Praha 3, Česká Republika
Tel.:+420.226204627
daniel.ryslink at dialtelecom.cz
-----------------------------------------------
www.dialtelecom.cz
Dial Telecom, a.s.
Jednoduše se připojte
-----------------------------------------------



More information about the bind-users mailing list