In message <20101209222644.ga2...@fantomas.sk>, Matus UHLAR - fantomas writes: > > In message <20101209220716.ga2...@fantomas.sk>, Matus UHLAR - fantomas writ > es: > > > pardon my ignorance if this has been discussed (haven't notice), but > > > if BIND is configured to automatically sign dynamic zones, does it > > > distribute DS records to parent zones somehow? and if not, what are ways > to > > > do that? > > On 10.12.10 09:15, Mark Andrews wrote: > > This is IETF dnsext/dnsop fodder. > > > > The simple way would be to just record a TSIG key in the child zones > > config to update the parent zone and use signed UPDATE messages. > > Unfortunately this has run into layer 9 issues. > > maybe some alternative of NOTIFY mechanism? > > However that's apparently why I missed it... > I think I'll try with opendnssec. I even don't like the automatic mechanism > much because of bulk updates which I do quite often. > > Is it possible(planned) for bind to sign slave zone?
The master signs the zone. The slaves just serve it. > And, are incremental updates possible with dnssec? Yes. You just send the signature and nsec/nsec3 changes as well as the data changes themselves. > I'm thinking about hidden master bind loading (un)signed zones and > providing axfr/ixfr to our public servers DNSSEC works with hidden masters. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
