> Well, it's a better work around than what I have been doing, but not > having the RFC 5011 behaviour is quite a disappointment. Now I have > presentiments of disaster should the DLV key have to be rolled for > whatever reason.
Sorry, I misunderstood your question--I thought you wanted to know how to use DLV without having a managed-keys zone created at all. In 9.7.1 and above, you can use "managed-keys" statements at the view level as well as globally. (This was a known limitation in 9.7.0.) You can also use "dnssec-lookaside auto" at the view level. You'll want to set a "managed-keys-directory" option. For example: options { ... managed-keys-directory "managed-keys"; }; view external { match-clients { ... }; dnssec-lookaside auto; ... }; Make sure you create the "managed-keys" directory within the working directory for the named process, and that it's writable. Each view using this feature will create a separate file to store key data, and the filenames they use are... well, let's just say "unwieldy". Best to segregate them into a directory where you don't have to look at them. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users