Re: bind autosign - DS distribution
In message 20101209220716.ga2...@fantomas.sk, Matus UHLAR - fantomas writes: pardon my ignorance if this has been discussed (haven't notice), but if BIND is configured to automatically sign dynamic zones, does it distribute DS records to parent zones somehow? and if not, what are ways to do that? On 10.12.10 09:15, Mark Andrews wrote: This is IETF dnsext/dnsop fodder. The simple way would be to just record a TSIG key in the child zones config to update the parent zone and use signed UPDATE messages. Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? And, are incremental updates possible with dnssec? I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Despite the cost of living, have you noticed how popular it remains? ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
In message 20101209222644.ga2...@fantomas.sk, Matus UHLAR - fantomas writes: In message 20101209220716.ga2...@fantomas.sk, Matus UHLAR - fantomas writ es: pardon my ignorance if this has been discussed (haven't notice), but if BIND is configured to automatically sign dynamic zones, does it distribute DS records to parent zones somehow? and if not, what are ways to do that? On 10.12.10 09:15, Mark Andrews wrote: This is IETF dnsext/dnsop fodder. The simple way would be to just record a TSIG key in the child zones config to update the parent zone and use signed UPDATE messages. Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? The master signs the zone. The slaves just serve it. And, are incremental updates possible with dnssec? Yes. You just send the signature and nsec/nsec3 changes as well as the data changes themselves. I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers DNSSEC works with hidden masters. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 09.12.2010 23:26, Matus UHLAR - fantomas a écrit : In message 20101209220716.ga2...@fantomas.sk, Matus UHLAR - fantomas writes: pardon my ignorance if this has been discussed (haven't notice), but if BIND is configured to automatically sign dynamic zones, does it distribute DS records to parent zones somehow? and if not, what are ways to do that? On 10.12.10 09:15, Mark Andrews wrote: This is IETF dnsext/dnsop fodder. The simple way would be to just record a TSIG key in the child zones config to update the parent zone and use signed UPDATE messages. Unfortunately this has run into layer 9 issues. maybe some alternative of NOTIFY mechanism? However that's apparently why I missed it... I think I'll try with opendnssec. I even don't like the automatic mechanism much because of bulk updates which I do quite often. Is it possible(planned) for bind to sign slave zone? And, are incremental updates possible with dnssec? I'm thinking about hidden master bind loading (un)signed zones and providing axfr/ixfr to our public servers webmin implement the mecanism of resign zones - -- http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x092164A7 gpg --keyserver pgp.mit.edu --recv-key 092164A7 -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAVwJtXI/OwkhZKcRAvrpAJ4oY1jMstShHD4lvNLqsYTHqDTCPACfS6sa JvRPYH48kCyV6W2tBDtgpmw= =UhUW -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
In message 20101209222644.ga2...@fantomas.sk, Matus UHLAR - fantomas writes: Is it possible(planned) for bind to sign slave zone? On 10.12.10 09:41, Mark Andrews wrote: The master signs the zone. The slaves just serve it. The master still loads the zone somehow, from a file probably (even dynamic zones are saved to disk on shutdown, aren't they?) Being able to fetch zone from different server vi axfr/ixfr and sign it as it would be dynamic zone would spare me from playing with opendnssec or running dnssec-signzone manually. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Nothing is fool-proof to a talented fool. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
On 09.12.10 23:45, fakessh @ wrote: webmin implement the mecanism of resign zones good to know, but our system fille DNS data using some automatic processes from more sources and I don't think they should use webmin for that ;) -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Atheism is a non-prophet organization. ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: bind autosign - DS distribution
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Le 10.12.2010 00:24, Matus UHLAR - fantomas a écrit : On 09.12.10 23:45, fakessh @ wrote: webmin implement the mecanism of resign zones good to know, but our system fille DNS data using some automatic processes from more sources and I don't think they should use webmin for that ;) look the source for the construct a perl script webmin is build with modules its easy i think sincerely -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iD8DBQFNAXq+tXI/OwkhZKcRAiAsAJ9fOIX3XOyFww+8Q+oJtw2stfZJ6gCdHcoX lrB2atZdwHiHmncD52yFEl8= =mFzL -END PGP SIGNATURE- ___ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users