[bind10-dev] Defer DDNS until after we have a signer?
João Damas
joao at bondis.org
Thu Nov 17 16:24:12 UTC 2011
On 17 Nov 2011, at 16:34, Stephen Morris wrote:
> Ticket 1347 concerns the design and definition of the work required to
> support DDNS.
>
> DDNS is defined in RFC 2136 which pre-dates DNSSEC. Looking at one of
> the RFCs that are reported as updating it, RFC 4033, the following
> caught my eye:
>
> If possible, the private half of each DNSSEC key pair should be kept
> offline, but this will not be possible for a zone for which DNS
> dynamic update has been enabled. In the dynamic update case, the
> primary master server for the zone will have to re-sign the zone when
> it is updated, so the private key corresponding to the zone signing
> key will have to be kept online.
>
> i.e. dynamic update does not update RRSIG records so if a signed zone is
> updated, the records need to be re-signed.
>
and, potentially, the NSEC/3 chaing (and corresponding signatures) needs updating as well
> Although this ticket is only for the design and work breakdown, given
> that we don't yet have a signer in the authoritative server, would it be
> better to defer this work until we are closer to implementing it (i.e.
> after we have written a signer)? Or should we proceed but disable DDNS
> on signed zones?
>
> Stephen
> _______________________________________________
> bind10-dev mailing list
> bind10-dev at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind10-dev
More information about the bind10-dev
mailing list