Bootstrap inline signing
Niels Haarbo
haarbo at dk-hostmaster.dk
Fri Jan 18 10:31:56 UTC 2019
Is it supported to bootstrap inline signing using dnssec-signzone?
$ named-compilezone -f text -F raw -o example.raw example.com
example.text
$ dnssec-signzone -S -K /etc/bind/keys -O raw -3 ABCDEF -H 19 -A -o
example.com -f example.raw.signed example.text
and then load the two files (example.raw, example.raw.signed) into an
inline signing configuration.
The solution is apparently working fine.
The reason for the above approach is performance. The initial inline
signing is slow (several hours of computing) when signing a large zone.
I have tried different values for "sig-signing-nodes" and
"sig-signing-signatures" - but no luck.
--
Niels Haarbo,
DK Hostmaster A/S
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20190118/09dfa6a3/attachment.html>
More information about the bind-users
mailing list