feature survey -- bind9 dnssec -- autogenerate missing signatures

Danny Mayer mayer at ntp.isc.org
Sat Oct 11 03:46:54 UTC 2008


Paul Vixie wrote:
>> I don't see how this would work. The secondaries need a fully signed
>> zone, right?
> 
> yes of course, i hadn't thought about that.  clearly the zone would have to
> begin its life with a single NSEC3 RR opting out the whole namespace, and
> each autogenerated NSEC3 or RRSIG change would have to go out in IXFR.  one
> could even contemplate kicking off the background signer (which will be in
> 9.6.0 but currently only looking for soon-to-expire, not unsigned, rrsets)
> and letting the primary zone gradually sign itself and gradually bring the
> secondaries along.  as much as i might like to distribute the signing load
> amongst cooperating secondaries, that would require multimaster, which is a
> hard and unsolved problem (no matter what microsoft may say otherwise.)

I remember reading in their documentation how Microsoft implemented this
and indeed it's quite smart. They may even have patents on this but I
don't know that. The biggest problem is the SOA record because the
serial number needs to be right and they haven't done a good job of that.

Danny



More information about the bind-workers mailing list