On 18/07/2010 17:58:15, Evan Hunt wrote: >> Is there a way of using dnssec-lookaside and forcing bind not to >> maintain a managed-keys-zone for certain views? > > Sure, just do it the old way, without "dnssec-lookaside auto". > Put these in the view statement: > > dnssec-lookaside . trust-anchor dlv.isc.org; > > trusted-keys { > dlv.isc.org. 257 3 5 > "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 > brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ > 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 > ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk > Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM > QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh"; > }; > > (Except, you know, get the key text from a secure channel or from the > signed bind9 distribution, not from email...)
Well, it's a better work around than what I have been doing, but not having the RFC 5011 behaviour is quite a disappointment. Now I have presentiments of disaster should the DLV key have to be rolled for whatever reason. Think I'll just drop the external-chaos view. Some script kiddie working out I'm running the latest version of bind is likely to be lower risk and a lot less harmful than dealing with broken dnssec chains of trust. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users