On 12/27/2010 1:07 AM, fakessh wrote: > good day and merry christmas.
Thanks, and to you as well.
> I just put in place guidelines in bind config to update the signatures
> dnssec
> I'm looking for options that require the least amount of maintenace that
> all updates of signatures are performed without any external intervention
>
> i quote my named conf
>
> zone "fakessh.eu" {
> type master;
> file "/var/named/fakessh.eu.hosts";
> auto-dnssec maintain;
> update-policy local;
> key-directory "/var/named/keyset-fakessh.eu";
> allow-transfer { 213.251.188.140;87.98.164.164;
> 195.234.42.1;94.23.59.30; };
> };
>
> is what the guidelines are good options
A bit more interesting is the command that you used to sign the zone.
When signatures reach 3/4 lifetime, the associated record is
automatically re-signed.
Additionally, when new keys are made available signatures will created
based on the timing meta-data in the keys..
Overall, the defaults seem to be "good enough" for nearly everyone.
AlanC
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
