feature survey -- bind9 dnssec -- autogenerate missing signatures

[Jim Reid]

On Sep 2, 2008, at 00:20, Paul Vixie wrote:

> should bind9 dnssec be able to load an unsigned zone, sort it into  
> dnssec security order, and then generate signatures and nsecs on the  
> fly, only for rrsets that are actually queried?

I'm not sure this is a good idea because the people who are most  
likely to use this feature will probably be unaware of the risks of  
having the signing key on-line and won't have taken suitable  
precautions. They're also likely to be the people that will be  
startled by the SOA serial number magically changing as a result of on  
the fly signing.

On a more practical level, how would this work when a slave server  
gets a query with the DO bit set for a name that's been signed on the  
master but that signature goop has still to find its way to the slave?