9.7.0rc1 auto-dnssec control of RRSIG generation

Rob Austein sra at isc.org
Mon Jan 4 01:15:38 UTC 2010

At Mon, 4 Jan 2010 01:53:57 +0100, Johan Ihren wrote:
> why is auto-dnssec only available for zones that are automatically
> updated? I can understand that the arrival of a dynamic update is a
> natural trigger for re-signing. But re-signing is also needed for
> static zones and to me it seems that a timer that wakes up the
> re-signing urge on a suitable clock would be an obvious thing.

i didn't write the code in question, but i suspect the answer is
basicly who has control of the zone, you or named.  that is: automatic
updates mean that named is modifying the zone content for you, so you
had better not be doing so yourself at the same time.

i suspect you can achieve approximately the effect you seem to be
looking for by creating a dynamic zone for which you then set an acl
that denys all ddns access.  you'd have to freeze/thaw when messing
with zone content yourself, but you'd almost certainly have to do
something like that anyway (see "control", above).

More information about the bind-workers mailing list