-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Le 09.12.2010 23:26, Matus UHLAR - fantomas a écrit : >> In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas >> writes: >>> pardon my ignorance if this has been discussed (haven't notice), but >>> if BIND is configured to automatically sign dynamic zones, does it >>> distribute DS records to parent zones somehow? and if not, what are ways to >>> do that? > > On 10.12.10 09:15, Mark Andrews wrote: >> This is IETF dnsext/dnsop fodder. >> >> The simple way would be to just record a TSIG key in the child zones >> config to update the parent zone and use signed UPDATE messages. >> Unfortunately this has run into layer 9 issues. > > maybe some alternative of NOTIFY mechanism? > > However that's apparently why I missed it... > I think I'll try with opendnssec. I even don't like the automatic mechanism > much because of bulk updates which I do quite often. > > Is it possible(planned) for bind to sign slave zone? > And, are incremental updates possible with dnssec? > > I'm thinking about hidden master bind loading (un)signed zones and providing > axfr/ixfr to our public servers >
webmin implement the mecanism of resign zones - -- http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAVwJtXI/OwkhZKcRAvrpAJ4oY1jMstShHD4lvNLqsYTHqDTCPACfS6sa JvRPYH48kCyV6W2tBDtgpmw= =UhUW -----END PGP SIGNATURE----- _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users