[bind10-dev] Defer DDNS until after we have a signer?
Stephen Morris
stephen at isc.org
Thu Nov 17 15:34:45 UTC 2011
Ticket 1347 concerns the design and definition of the work required to
support DDNS.
DDNS is defined in RFC 2136 which pre-dates DNSSEC. Looking at one of
the RFCs that are reported as updating it, RFC 4033, the following
caught my eye:
If possible, the private half of each DNSSEC key pair should be kept
offline, but this will not be possible for a zone for which DNS
dynamic update has been enabled. In the dynamic update case, the
primary master server for the zone will have to re-sign the zone when
it is updated, so the private key corresponding to the zone signing
key will have to be kept online.
i.e. dynamic update does not update RRSIG records so if a signed zone is
updated, the records need to be re-signed.
Although this ticket is only for the design and work breakdown, given
that we don't yet have a signer in the authoritative server, would it be
better to defer this work until we are closer to implementing it (i.e.
after we have written a signer)? Or should we proceed but disable DDNS
on signed zones?
Stephen
More information about the bind10-dev
mailing list