Olaf M. Kolkman wrote:
3.6 Private Key Storage
It is recommended that, where possible, zone private keys and the
zone file master copy be kept and used in off-line, non-network
connected, physically secure machines only. Periodically an
application can be run to add authentication to a zone by adding
and NSEC RRs. Then the augmented file can be transferred,
When relying on dynamic update to manage a signed zone, be aware
that at least one zone's private key will have to reside on the
This reads funny... I suggest "...at least one of the zone's private
keys..."
master server. This key is only as secure as the amount of
exposure the server receives to unknown clients and the security of
the host. Although not mandatory one could administer the DNS in
the following way. The master that processes the dynamic updates is
unavailable from generic hosts on the Internet, it is not listed in
the NS RR set although it's name appears in the SOA RRs MNAME field.
The nameservers in the NS RR set are able to receive zone updates
through NOTIFY, IXFR, AXFR or out-of-band distribution mechanisms.
This approach is known as the "hidden master" setup.
--
>>>ApacheCon Europe<<< http://www.apachecon.com/
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
