feature survey -- bind9 dnssec -- autogenerate missing signatures

Shane Kerr Shane_Kerr at isc.org
Tue Sep 2 08:40:34 UTC 2008


Paul,

On Mon, 2008-09-01 at 23:20 +0000, Paul Vixie wrote:
> there would still be a need to sign the zone before it was first loaded.  i
> can only imagine that some zones are large enough for this to be irritating.
> so here's my question.  should bind9 dnssec be able to load an unsigned zone,
> sort it into dnssec security order, and then generate signatures and nsecs on
> the fly, only for rrsets that are actually queried?  the signatures would be
> persistent, just as other autogenerated signatures (after updates or before
> expiration) are persistent.  the signing key would have to be online or there
> would have to be a PKCS11 device online.

I don't see how this would work. The secondaries need a fully signed
zone, right?

You could do this in a way where the secondaries co-ordinate with the
master, but this would require new protocol work (and also raise the
usual single-point-of-failure versus multi-master issues). This seems
unpalatable over long links under any circumstances (we like
geographical and topological diversity, so long links seems like a good
thing not a bad thing).

--
Shane



More information about the bind-workers mailing list