I have three questions regarding dnssec-signzone: To clarify things, I'm using BIND 9.7.2-P2.
First is about input file: you can specify on the command line either the signed version of the zone, or the unsigned one. What I'd like to do hovever, is to use both. The unsigned zone is much more readable, and can contain $INCLUDE directives, which makes modification easier. But specifying the signed zone has added benefit of reusing existing signatures, thus saving on computation time (not that I have a lot to save on ;). So, I'd like dnssec-signzone to take 'normal' records from non-signed zone, try to reuse RRSIG records as much as possible, taking them from signed zone, and write the result. Is this possible with dnssec-signzone? Other than writing a custom tool to filter only NSEC/RRSIG records from .signed and appending this file to unsigned zone? Which might not be that hard, probably a simple sed script would do. Another is about key management and -S option: Guessing by what I've read in the man page -S should use key metadata to decide when to include/exclude/use/revoke the key. However, I've been unable to make it work. I have 2 KSK keys, one of them set to revoke in the past, as dnssec-settime kindly tells me. But, when I do dnssec-signzone -S on the unsigned file, I get error message: dnssec-signzone: fatal: cannot find DNSKEY RRSIGs and nothing is signed. dnssec-signzone without -S can properly sign the zone, ignoring revokation time. Then, I do dnssec-signzone -S on the signed file, which only retains old signatures, also happily ignoring revokation time. What am I doing wrong, why it fails to behave as I'd expect? Third is about -N option: a well established practice (although I don't know what was the origin) is to set SOA serial number to eg 2011020101, which is current day and two-digit of daily version. This has benefit of being almost as good as putting unixtime of last modification, while being much more human-readable. How difficult would it be to implement this for dnssec-signzone -N, using a fourth format specifier? Regards, Torinthiel _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
