On 6.10.2014 19:15, Kevin Thompson wrote:
Howdy all,
I was reading the release plan[1], and I saw mentioned 'Signer - Dynamic
updates'. Could you elaborate on that?
Currently, the best method I've found for integrating ODS with a dynamic zone
on one server is the CentralNIC pattern[2] - the unsigned zone is served by a
master from a private view, injected into ODS by a DNS input adapter, signed
file goes out, and finally the signed file is served statically by the master
on a public view. This method works, but is a little cumbersome.
I'm really hoping that what is meant by 'dynamic updates' is that ODS would
take notifies to know when the dynamic zone is changed, would download the
updates via IXFR, and then directly add/update/delete records as needed via
dynamic updates. If so, this would be huge, since it would greatly ease
integration of ODS into dynamic zones. I imagine the similarly mentioned
"Database input and output adapter" would work the same way, but would
directly update a database storing the zone.
Is my understanding of the release plan correct? If so, I'm really excited for
the future of OpenDNSSEC.
If you want to experiment you can take a look at FreeIPA 4.1.0.
It integrates OpenDNSSEC 1.4.x with BIND 9.9.x server backed by LDAP database
to one (almost :-) seamless system.
Please keep in mind that this solution is intended mainly for internal
deployments so it is focused on ease of use and maintainability instead of
performance.
From user's point of view, it allows you to click on 'DNSSEC signing enabled'
in web interface (or FreeIPA CLI/API) and it will generate keys for you and
sign the zone automatically using BIND's in-line signing feature.
All you have to do after that is to put DS record to your parent zone and call
OpenDNSSEC's ds-seen command.
As a result, dynamic updates (GSS-TSIG only at this moment) are fully
supported and changes will be reflected in the signed version almost immediately.
You can read more about it on:
http://www.freeipa.org/index.php?title=Releases/4.1.0
Or contact [email protected] mailing list.
Have a nice day!
--
Petr Spacek @ Red Hat
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
