> In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > > pardon my ignorance if this has been discussed (haven't notice), but > > if BIND is configured to automatically sign dynamic zones, does it > > distribute DS records to parent zones somehow? and if not, what are ways to > > do that?
On 10.12.10 09:15, Mark Andrews wrote: > This is IETF dnsext/dnsop fodder. > > The simple way would be to just record a TSIG key in the child zones > config to update the parent zone and use signed UPDATE messages. > Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? And, are incremental updates possible with dnssec? I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users