feature survey -- bind9 dnssec -- autogenerate missing signatures
Michael Richardson
mcr at sandelman.ottawa.on.ca
Tue Sep 2 18:30:58 UTC 2008
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
>>>>> "Paul" == Paul Vixie <vixie at isc.org> writes:
Paul> there would still be a need to sign the zone before it was
Paul> first loaded. i can only imagine that some zones are large
Paul> enough for this to be irritating. so here's my question.
Paul> should bind9 dnssec be able to load an unsigned zone, sort it
Paul> into dnssec security order, and then generate signatures and
Paul> nsecs on the fly, only for rrsets that are actually queried?
Paul> the signatures would be persistent, just as other
Paul> autogenerated signatures (after updates or before expiration)
Paul> are persistent. the signing key would have to be online or
Paul> there would have to be a PKCS11 device online.
Is this still using the .jnl mechanism?
I found that mechanism very brittle when I was trying to do updates.
Given the problem with the secondaries, I think it's better to just
tell owners of zones with more than 100 RRsets that they have to sign
the zone the first time once.
- --
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcr at sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Finger me for keys
iQEVAwUBSL1PD4CLcPvd0N1lAQIQjgf/ZA70qXgNz6Ar/gVLaO2JvMm2jADRl/5Q
j+9oOEAEuFoQrvr2xyXGenoAu/Iso0D/YS+LHeSh+t66ONeCdLzggFTCpRlgooIM
HNPq1EgpwBia3KWI5mTt3EL+frO2tCSWZuJKCiZrUzSD5d7Wy7tp/gTr67dskFuC
IIBH0IGGNcFrzt7pFgH9N2FgFUR/EYaErZ/wmXN6AZzamPrI+JkMxXymSlFAOdRR
ZvrywBKXMnX0kbIDj6yxH1wKQnqtA1ePik7f8N0nOngbCk3FopWmbEb2CG92weJm
WEW7b33BXCINb4mU1xc0iWpbr8y71Fgk/wMy2ZABpfXzMWLcLRc6Kg==
=o5wj
-----END PGP SIGNATURE-----
More information about the bind-workers
mailing list