feature survey -- bind9 dnssec -- autogenerate missing signatures

Paul Vixie vixie at isc.org
Tue Sep 2 21:38:57 UTC 2008


> I don't see how this would work. The secondaries need a fully signed
> zone, right?

yes of course, i hadn't thought about that.  clearly the zone would have to
begin its life with a single NSEC3 RR opting out the whole namespace, and
each autogenerated NSEC3 or RRSIG change would have to go out in IXFR.  one
could even contemplate kicking off the background signer (which will be in
9.6.0 but currently only looking for soon-to-expire, not unsigned, rrsets)
and letting the primary zone gradually sign itself and gradually bring the
secondaries along.  as much as i might like to distribute the signing load
amongst cooperating secondaries, that would require multimaster, which is a
hard and unsolved problem (no matter what microsoft may say otherwise.)


More information about the bind-workers mailing list