In message <[email protected]>, Richard Doty writes:
> I am running bind 9.5.0, and have a dynamic zone with two ZSK set
> up in the pre-publish manner - one ZSK is "published" but not used
> for signing, one ZSK is "active" and signs all records. That's
> how I use them when I do a full re-sign with dnssec-signzone. But
> when I make a dynamic update to the zone, bind signs the updated
> record with both ZSKs. That makes sense because bind has no way
> to tell the two ZSKs apart.
Firstly I would just upgrade to BIND 9.6 so you don't need
to use dnssec-signzone to re-sign the zone.
Named will re-sign using the private keys it has available
to it. Just keep the private key where named can't see it
until you wish it to be used. Then move it into place when
you wish it to start signing and then move the existing
private key out of the way. Note the order of operations
is important otherwise there will be a time when named has
no private keys available to re-sign.
We are looking at adding start and stop dates to keys so
this will be less complicated in future.
Mark
> So I guess my question is - does pre-publish work with dynamic update?
> If so, how is it configured?
>
> Thanks,
>
> Richard.
> _______________________________________________
> bind-users mailing list
> [email protected]
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: [email protected]
_______________________________________________
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
