feature survey -- bind9 dnssec -- autogenerate missing signatures
Shane Kerr
Shane_Kerr at isc.org
Tue Sep 2 08:40:34 UTC 2008
Paul,
On Mon, 2008-09-01 at 23:20 +0000, Paul Vixie wrote:
> there would still be a need to sign the zone before it was first loaded. i
> can only imagine that some zones are large enough for this to be irritating.
> so here's my question. should bind9 dnssec be able to load an unsigned zone,
> sort it into dnssec security order, and then generate signatures and nsecs on
> the fly, only for rrsets that are actually queried? the signatures would be
> persistent, just as other autogenerated signatures (after updates or before
> expiration) are persistent. the signing key would have to be online or there
> would have to be a PKCS11 device online.
I don't see how this would work. The secondaries need a fully signed
zone, right?
You could do this in a way where the secondaries co-ordinate with the
master, but this would require new protocol work (and also raise the
usual single-point-of-failure versus multi-master issues). This seems
unpalatable over long links under any circumstances (we like
geographical and topological diversity, so long links seems like a good
thing not a bad thing).
--
Shane
More information about the bind-workers
mailing list