9.7.0rc1 auto-dnssec control of RRSIG generation
each at isc.org
Mon Jan 4 01:40:04 UTC 2010
> why is auto-dnssec only available for zones that are automatically updated?
Because it works by automatically updating the zone. :)
> But re-signing is also needed for static zones and to me it seems that a
> timer that wakes up the re-signing urge on a suitable clock would be an
> obvious thing.
...in which case it *isn't* a static zone: the RRSIGs are changing.
It's certainly possible to have a cron job periodically running
dnssec-signzone and issuing "rndc reload", but it's easier to have
named keep track for you. But that means the zone is no longer static;
it's under the control of named. You can't just edit the zone file by
hand; you must either do the freeze-edit-thaw dance, or use DDNS updates.
In a DNSSEC world, I believe it makes the most sense to treat nearly all
zones as dynamic. (That's why we added "update-policy local;" as a new
feature in 9.7. The goal of the release is to make it easier to configure
DNSSEC. I felt that making it easier to configure DDNS would be a
necessary piece of that.)
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-workers