In message <a312010a27f14658b095b6523e39b...@sb.litts.net>, "Timothe Litt" writ
es:
> I've been running 9.6-ESV-R1 and 9.6.1-P3 with "-DALLOW_INSECURE_TO_SECURE
> -DALLOW_SECURE_TO_INSECURE" serving DNSSEC zones on several servers - all
> linux, some FC13, others on ARM embedded systems.
-DALLOW_INSECURE_TO_SECURE is always allowed.
-DALLOW_SECURE_TO_INSECURE is a named.conf option
dnssec-secure-to-insecure <boolean>;
> Is there any documentation for what I need to do to convert from this
> interim dnssec auto-signing mechanism to the 9.7.1-P2 release?
Just allow keys changes to become stable, then remove the
sig-signing-type records.
> Are there interoperability issues between these versions?
No.
> To make life more interesting, I not only want to update all my servers, but
> also must move the master server to a new host - with selinux (fedora core
> 13).
>
> Is there any 'getting started' presentation (esp for DNSEC) on 9.7? There
> was a "DNSSEC in (a few) minutes" presentation for bind, but I haven't seen
> an update for 97. The ARM is great reference, but not easy to decipher for
> upgrade situations...
Read up on "rndc sign" and "auto-dnssec". 9.7 also introduced "managed-keys"
for setting up trusted keys which are using RFC 5011 management techniques.
> (I'd be happy to move this to dnssec-deployment if the concensus is that it
> belongs there.)
>
> Thanks.
>
> ---------------------------------------------------------
> This communication may not represent my employer's views,
> if any, on the matters discussed.
>
>
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
