To:
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Cc:
"Loomis, Rip" <GILBERT.R.LOOMIS@saic.com>, "'dnssec@cafax.se '" <dnssec@cafax.se>
From:
Mark.Andrews@isc.org
Date:
Fri, 30 Aug 2002 10:06:47 +1000
In-reply-to:
Your message of "Thu, 29 Aug 2002 13:14:13 -0400." <200208291715.g7THEE5U003890@marajade.sandelman.ottawa.on.ca>
Sender:
owner-dnssec@cafax.se
Subject:
Re: Dynamic update, signed zones, and DS/Opt-in
> >>>>> "Loomis," == Loomis, Rip <GILBERT.R.LOOMIS@saic.com> writes: > >> The major operational issues that I have are issues with being unable > >> to edit the zone file properly. bind9, when it writes out the zone > >> file, writes out the .signed file, which then gets whiped out > >> again. That is currently keeping me from doing dynamic update more > >> often. > > Loomis> So you have the key online, and automatic re-signing after each > Loomis> dynamic update, but the zone file gets wiped out before the > Loomis> re-signing is complete? Or did I miss something... > > db.example.com --(dnssec-signzone)-->db.example.com.signed > ^ > dynupd-------------------------------/ updates (w/re-signs) > > If I want to change something in the base zone, I have to stop named, > merge db.example.com.signed back into db.example.com, edit, resign, > and restart. No you don't. You just need to use UPDATE to make the change. A signed zone is no different to a unsigned zone in this respect. You have told the nameserver that it is managing the the zone. Let the server manage the zone. Yes there are some things that named should be doing that it currently isn't, like re-signing records before they expire, as it is responable for the management of the zone. Mark -- Mark Andrews, Internet Software Consortium 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: Mark.Andrews@isc.org