> Now, you can *also* turn on DDNS and use nsupdate on an inline-signing > zone... but, if you're going to be using DDNS anyway, then I'm unclear what > operational need is being served by separating the data. With or without > inline-singing, your master file will be overwritten, and you'll have to > concern yourself with freezing and thawing... and *with* inline-signing, > there are more moving parts. So, I'd probably just use DDNS, turn off > inline-signing, and let the zone take care of itself.
Thank you for your detailed response, Evan. Here's my operational plan. First of all we are a small organization with a few DNS zones that we manage for ourselves. I have also grown accustomed to using nsupdate -- the changes to the zone files are few and infrequent. From time to time I want to review the current state of the zone files. I have been accustomed with v9.8 to taking a copy of a signed zone file and stripping out the DNSSEC-related records in a text editor for easy review. I have been using dnsviz.net to verify periodically that DNSSEC is operating properly. Now in v9.9, I can eliminate this somewhat tedious step with my text editor because with inline signing, there is always an unsigned zone file available to me. If I am in a hurry to do my review after making an update, I can use "rndc sync myzone". Similarly in my nightly backup cron job, I can now backup both the signed and unsigned zone files after "rndc freeze myzone" to make sure they have incorporated th e latest changes. I'm assuming that "rndc freeze myzone" freezes both the signed and unsigned zone files. I'm not worried about the freezing and thawing -- my cron job has been doing that with v9.8 with no apparent problems. I am also not worried about the increased number of moving parts -- I think it is reasonable to rely upon ISC to get this all working correctly. In v9.9.0b2, there is a problem with "rndc freeze" (reported earlier as [ISC-Bugs #26632]) so I will continue to test this with subsequent versions. Thanks again. Jeff. Jeffry A. Spain Network Administrator Cincinnati Country Day School _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
