Automatic RRSIG Refresh in BIND 9.8.2
dot at dotat.at
Wed Jun 14 18:56:51 UTC 2017
Latitude <arlendelcastillo at gmail.com> wrote:
> I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer
> can automatically sign zones and refresh signatures (RRSIGs), but older
> versions cannot (p. 53).
That isn't entirely correct: BIND has had automatic signing since 9.7
(if I remember correctly - it has been a long time). You just need to
set `auto-dnssec maintain;` and (for simple cases) `update-policy local;`.
See section 4.9.3 on page 26 of
Also see my blog about DNSSEC in BIND 9.8 from 6 years ago (thanks Red Hat
for keeping such ancient relics relevant for so long)
What was new in 9.9 was inline-signing mode. Shameless plug: you can get
something very like inline-signing mode for antediluvian versions of BIND
using my `nsdiff` program http://dotat.at/prog/nsdiff/
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ - I xn--zr8h punycode
Humber, Thames: East or southeast, veering southwest later, 4 or 5,
occasionally 6 later in Thames. Smooth or slight, occasionally moderate later
in Thames. Fair. Good.
More information about the bind-users