9.7.0rc1 auto-dnssec control of RRSIG generation

Lars-Johan Liman liman at autonomica.se
Mon Jan 4 09:51:48 UTC 2010


each at isc.org:
> ...in which case it *isn't* a static zone: the RRSIGs are changing.

:-) Hihi! Touché! :-)

> It's certainly possible to have a cron job periodically running
> dnssec-signzone and issuing "rndc reload", but it's easier to have
> named keep track for you.  But that means the zone is no longer static;
> it's under the control of named.  You can't just edit the zone file by
> hand; you must either do the freeze-edit-thaw dance, or use DDNS updates.

> In a DNSSEC world, I believe it makes the most sense to treat nearly all
> zones as dynamic.  (That's why we added "update-policy local;" as a new
> feature in 9.7.  The goal of the release is to make it easier to configure
> DNSSEC.  I felt that making it easier to configure DDNS would be a
> necessary piece of that.)

I understand and support the line of reasoning above. I hadn't thought
about it. I would definitely have come up with Johan's question
myself, if I had sat down to play with the stuff.

I did a quick scan in Bv9ARM and found precious little documentation
about the new stuff, only a few lines. Can I suggest some more text -
where you also make these thoughts visible - to deflect a barrage of
questions in the future? :-)

				Cheers,
				  /Liman
#----------------------------------------------------------------------
# Lars-Johan Liman, M.Sc.   ! E-mail/SIP/Jabber: liman at autonomica.se
# Senior Systems Specialist ! Tel: +46 8 - 562 860 12
# Autonomica AB, Stockholm  ! http://www.autonomica.se/
#----------------------------------------------------------------------



More information about the bind-workers mailing list