> What is a "dynamic zone" in this context? In the case of master zones, it means the zone allows DDNS updates (e.g., from nsupdate). So it either has an update-policy set, or an allow-update ACL set to something other than "none". (Incidentally, making it easier to set up DDNS and, by extension, automatic re-signing, is a planned feature for 9.7.)
BIND 9 has, I believe, always had some support for automatic signing in the case of zone updates--at least as far back as 9.3, and I haven't looked at anything earlier. Basically, if you have a signed zone and you insert a new record, that record will automatically have an RRSIG generated for it. The enhancement in 9.6 is that signatures are also kept up to date on a schedule. By default, signatures are generated with a validity period of 30 days, and regenerated a quarter of the way through that time, i.e., after seven and a half days. These values can be configured with the "sig-validity-interval" option, for details of which see the ARM. Also see "sig-signing-nodes" and "sig-signing-signatures". > I assume the "secure" means the zone file has been signed at least once? That's correct. There's some experimental code in bin/named/update.c, ifdeffed out under the names ALLOW_INSECURE_TO_SECURE and ALLOW_SECURE_TO_INSECURE, that allows you to make an unsigned zone sign itself if you insert a DNSKEY RRset into it. But when I say "experimental" I mean it: this is *not yet supported*. It may turn up as a feature in 9.7, though. > Does the named user also need write access to the zone files to > accomplish the resigning? To the zone files, and to the directory they're in, so named can create journal files. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users