Automatic DNSSEC signing workflow
Daniel A. Ramaley
daniel.ramaley at drake.edu
Tue Jul 5 14:02:00 UTC 2016
On 2016-07-04 at 15:44:32 Tony Finch <dot at dotat.at> wrote:
> In most cases it is best to either use `nsupdate` exclusively, or
> directly edit the master file, but not a mixture of the two. If you
> are using `nsupdate` then there is no need for inline-signing.
>From the responses i received, it seems i completely misunderstood how
automatic signing is supposed to work. If i'm now understanding
correctly, there are 2 mutually exclusive ways to do things:
1) Maintain zone files with a text editor, and sign them manually.
2) Maintain zones with nsupdate, and let Bind sign them.
It seems i was mixing the two and not getting the results i expected.
I'll talk it over with our network administrators (they do most of our
DNS updates) and see which way they'd prefer to maintain zones, and then
provide appropriate instructions.
Thanks everyone for clearing up my confusion!
P.S.: Cool e-mail address. I first heard of dot at dotat.at some years
ago when a friend found out about it randomly. I never expected to
communicate with the owner of that address though!
Daniel A. Ramaley | Server Engineer 2
Information Technology Services (ITS) | Drake University
T: +1 (515) 271-4540
F: +1 (515) 271-1938
E: daniel.ramaley at drake.edu
More information about the bind-users