feature survey -- bind9 dnssec -- autogenerate missing signatures
Paul Vixie
vixie at isc.org
Mon Sep 1 23:20:18 UTC 2008
assume for a moment that 9.6.0 will contain signature auto-regenerate before
expiration, so that there's no need to periodically resign/reload a zone. we
already have, and have long had, the ability to generate new signatures on a
dynamic update. including fixing nsec chains. all of this requires that the
signing key be available, or for some kind of PKCS11 hardware to be used,
which i consider a reasonable constraint.
there would still be a need to sign the zone before it was first loaded. i
can only imagine that some zones are large enough for this to be irritating.
so here's my question. should bind9 dnssec be able to load an unsigned zone,
sort it into dnssec security order, and then generate signatures and nsecs on
the fly, only for rrsets that are actually queried? the signatures would be
persistent, just as other autogenerated signatures (after updates or before
expiration) are persistent. the signing key would have to be online or there
would have to be a PKCS11 device online.
in the grand scheme of "one button dnssec", this seems like the ultimate
power in the universe. but before i go hunting sponsors for it, i'm asking
here on bind-workers whether anybody would use/enjoy such a feature. i'm
especially interested in comments of the form "this would tip the balance."
More information about the bind-workers
mailing list