> I have just one question, what should inline-zone admin do? I assume > that named automatically regenerates & removes expired RRSIGs so is it > sufficient to put new KSK and ZSK to the key-directory when needed and > revoke older ones? Thanks for your answer in advance.
Yes, it will keep RRSIGs refreshed (same as it does now with dynamic zones). Rolling keys is the same process as now; you generate a successor key (dnssec-keygen -S) and run "rndc loadkeys <zone>" to signal the server that there's a new key. I should mention that there is a known operational issue in the current version of inline-signing that you should be cautious about. If you're using inline-signing with a master zone, and you make changes to the zone file, you should *not* kill and restart your server to load the new file. Instead, use "rndc reload" or "kill -HUP <pid>" to force named to reload the zone while it's running. That way, named will be able to compare the former version against the new one, and generate the proper set of diffs to apply to the signed zone. If you kill and restart your server to load changes to your zone, then the signed version of the zone will fall out of sync with the raw version, and some of your data will not be accessible to queries. There's no way to recover from this condition except to delete the signed zone and start over, which generates big transfers to slaves and is generally undesirable. We'll have a fix for this in a future release. It's not a problem when using inline-signing on slave zones; slaves load their data via zone transfer, not from files, so this issue doesn't affect them at all. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users