DNSSEC mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>
cc: "'dnssec@cafax.se '" <dnssec@cafax.se>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
Date: Thu, 29 Aug 2002 13:14:13 -0400
In-reply-to: Your message of "Wed, 28 Aug 2002 23:09:09 EDT." <3C1E3607B37295439F7C409EFBA08E680E2DC2@US-Columbia-CIST.mail.saic.com>
Sender: owner-dnssec@cafax.se
Subject: Re: Dynamic update, signed zones, and DS/Opt-in

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Loomis," == Loomis, Rip <GILBERT.R.LOOMIS@saic.com> writes:
    >> The major operational issues that I have are issues with being unable
    >> to edit the zone file properly. bind9, when it writes out the zone
    >> file, writes out the .signed file, which then gets whiped out
    >> again. That is currently keeping me from doing dynamic update more
    >> often.

    Loomis> So you have the key online, and automatic re-signing after each
    Loomis> dynamic update, but the zone file gets wiped out before the
    Loomis> re-signing is complete?  Or did I miss something...

  db.example.com --(dnssec-signzone)-->db.example.com.signed
                                           ^
      dynupd-------------------------------/ updates (w/re-signs)

  If I want to change something in the base zone, I have to stop named,
merge db.example.com.signed back into db.example.com, edit, resign,
and restart.
  
  A better system would be if the updates didn't cause the file to be
re-written - it would be better if the file had REPLACE/DELETE operatives,
and one could instead have the zone file $INCLUDE some other file at
the end. This other file would get updates appended to it. The picture
would then be:

  db.example.com --(dnssec-signzone)-->db.example.com.signed
                                       
      dynupd-----------------------> db.example.com.updates

  This is clearly an implementation issue.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBPW5WY4qHRg3pndX9AQH5TgP/WISXP5XBzLPkZ11NsrBBVQqSr4zR+w96
P96RFjjuCQll5u4EnEmu5H+kwfQhfKN9HKIw5x+AsZ/Vpm73N+TZOZPXBISyH9QZ
9ukTGd1eFU0tib4xUSvetyp+GhZmjEtXoikt8DrXtin+wWZYR2tI6rk7Do2K+IWw
kUayLmh/rpI=
=Owmv
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: Dynamic update, signed zones, and DS/Opt-in
  - From: Mark.Andrews@isc.org

References:
- RE: Dynamic update, signed zones, and DS/Opt-in
  - From: "Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>

Prev by Date: Re: Dynamic update, signed zones, and DS/Opt-in
Next by Date: Re: Dynamic update, signed zones, and DS/Opt-in
Prev by thread: RE: Dynamic update, signed zones, and DS/Opt-in
Next by thread: Re: Dynamic update, signed zones, and DS/Opt-in
Index(es):
- Date
- Thread

Home | Date list | Subject list