On Wed, 2012-01-11 at 11:50 -0500, Howard Leadmon wrote: > Thanks, I will head on over and take a look, sounds like something I should > be interested in. Now if FreeBSD would just add 9.9 to the ports > collection, it would save me from having to build it by hand..
I think BIND 9.9 is definitely part of the solution. I - like others - have a few scripts to try and do the right thing. I've created "How to set up a Recursive Server" at http://dnssec.co.za/ I've written a script that manages Flat files (ie - how you want to edit your zones) and generates signed zones as needed. You can see a presentation and the script at http://posixafrica.com/ (Both those zones are DNSSEC signed) The big error in my Script is I continuously re-sign the zone from scratch rather than properly maintain the signed zone... but it works (because I generate a new DNSSEC key before the zone becomes stale). Anyway, that is why I'm so interested in BIND 9.9 myself. My script also does Key Generation, checks for the source zone changing (by check-sums), updates the SOA Serial No - etc. Once I've deployed BIND 9.9 - I'll re-work the script to run properly signed and managed zones. Next great thing would be for ISC to support the Soft-HSM that OpenDNSSEC uses. I believe that this would make the step of moving to a real hardware HSM a lot easier (if necessary). -- . . ___. .__ Posix Systems - (South) Africa /| /| / /__ m...@posix.co.za - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
