Using one key to sign multiple zones (aka key sharing)
Hello, I've tried to sign multiple zones using the same key. But it seems that currently Bind does not allow this. Is this a omission or by design ? I know OpenDNSSEC can do this, and IIRC there is nothing in the RFC's that disallow key sharing. Regards, Tim -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind 9.7, dnssec and multiple key directories and resalt NSEC3
On Fri, Jun 4, 2010 at 1:18 PM, Phil Mayers wrote: > On 04/06/10 11:11, Tim Verhoeven wrote: >> >> I'm currently testing the automatic signing for DNSSEC present in Bind >> 9.7. I'm currently using Bind 9.7.0 and I have 2 questions. >> >> The first one, can I configure multiple key directories? The reasoning >> for this is that I would like to seperate the KSK's from the ZSK's. >> And this to be able to not have the KSK's present all the time by >> putting them on a removable media. For the ZSK's I have no choice >> since I will be doing dynamic updates. >> Or are there other means to do this except from adding and removing >> the KSK's when needed ? > > Symlinks to the KSK in another directory? A good one, why haven't I thought of that myself ;-) Thanks, Tim -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
bind 9.7, dnssec and multiple key directories and resalt NSEC3
Hi, I'm currently testing the automatic signing for DNSSEC present in Bind 9.7. I'm currently using Bind 9.7.0 and I have 2 questions. The first one, can I configure multiple key directories? The reasoning for this is that I would like to seperate the KSK's from the ZSK's. And this to be able to not have the KSK's present all the time by putting them on a removable media. For the ZSK's I have no choice since I will be doing dynamic updates. Or are there other means to do this except from adding and removing the KSK's when needed ? The second question. I've tried doing a resalt using dynamic updates but I can't get it to work. Just adding a new NSEC3PARAM RR crashes Bind and doing a delete and then a add (to replace the present RR) gives me a servfail but I see the updats in the log. What is the correct way to do a resalt when using automatic signing ? Thank you, Tim -- Tim Verhoeven - tim.verhoeven...@gmail.com - 0479 / 88 11 83 Hoping the problem magically goes away by ignoring it is the "microsoft approach to programming" and should never be allowed. (Linus Torvalds) ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users