9.7.0rc1 auto-dnssec control of RRSIG generation

Evan Hunt each at isc.org
Mon Jan 4 01:40:04 UTC 2010

> why is auto-dnssec only available for zones that are automatically updated?

Because it works by automatically updating the zone. :)

> But re-signing is also needed for static zones and to me it seems that a
> timer that wakes up the re-signing urge on a suitable clock would be an
> obvious thing.

...in which case it *isn't* a static zone: the RRSIGs are changing.

It's certainly possible to have a cron job periodically running
dnssec-signzone and issuing "rndc reload", but it's easier to have
named keep track for you.  But that means the zone is no longer static;
it's under the control of named.  You can't just edit the zone file by
hand; you must either do the freeze-edit-thaw dance, or use DDNS updates.

In a DNSSEC world, I believe it makes the most sense to treat nearly all
zones as dynamic.  (That's why we added "update-policy local;" as a new
feature in 9.7.  The goal of the release is to make it easier to configure
DNSSEC.  I felt that making it easier to configure DDNS would be a
necessary piece of that.)

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the bind-workers mailing list