Johannes> Well, BINDs automatic signing gives you nothing to manage really. Johannes> Johannes> -- Sincerely, Johannes> Johannes Löthberg
Automatic signing like that requires the storing of private keys on the server. To each his own but that is IMHO not a good thing and doing it manually is not so difficult or time consuming. I set my signings to expire in 40 days and have a cron job to send a notification that it is time to resign. I then place private keys on the server (keeping them offline and encrypted until that point), run a small script that does the signing for each zone and then delete the private keys. One can get a bit more involved with cleaning up any traces your private keys leave behind that could be compromised. The real pain with DNSSEC is when it comes time to roll the keys. -- You received this mail because you are subscribed to [email protected] To unsubscribe, send a mail to: [email protected]
