On Tue, Mar 13, 2018 at 12:30:57PM -0400, Jim Popovitch via bind-users wrote: > Is there a roadmap for DNSSEC signing capabilities? I'm specifically > wondering if any features are planned to fully automate signing, such > as being able to specify simple zone options like "dnssec-cycle=90d;" > and having bind9 fully manage this, perpetually.
There are no plans to have named generate keys by itself. However, you can run the "dnssec-keymgr" tool in a cron job and it'll keep your keys up to date according to a defined policy, generating new ones as needed, and then named will use them. In this way you can fully automate ZSK rollovers. KSK rollovers are still trickier since they require interaction with your parent zone. I hope to get support for CDS/CDNSKEY signaling into dnssec-keymgr, but whether that ultimately will be useful or not depends on whether domain registrars make use of it. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
