2011/3/10 Evan Hunt <e...@isc.org> > > > Now DLZ supports dynamic updates and theoretically it is possible to make > > such tricks: > > > > rndc freeze example.com > > put some new records in database > > rndc thaw example.com > > rndc sign example.com > > rndc freeze example.com > > > > That is zone isn't really dynamic, but it is dynamically loadable and > > signed. Will it work? > > DLZ only supports dynamic updates if you're using a back-end that supports > them. Right now the only combination that works is the DLZ "dlopen" driver > running the SMB/CIFS module provided in Samba 4, bind_dlz.c. As far as I > know, that module doesn't understand DNSSEC RRtypes, so I doubt if that > trick would work today. > > Even with a back-end module that can manage DNSSEC records, my guess is > that it wouldn't answer queries correctly, because AFAIK DLZ doesn't have > a mechanism for finding the closest previous name, and that's necessary > for returning a signed NXDOMAIN response. (This problem would also apply > if you used dnssec-signzone and loaded the signed data into the database > directly.) > > Incidentally, we've been expanding DLZ support further. In 9.8.1, the > dlopen driver will be part of the default build on unix/linux platforms, no > longer requiring a configure option, so you can use the Samba module (or > other modules yet to be written) with a stock BIND 9 build. In 9.9.0, > we'll be adding support for the dlopen driver on Windows as well. I plan > to convert the other DLZ drivers (mysql, postgresql, ldap, etc) to back-end > modules for the dlopen driver at that time as well. I'm not expecting to > make them support dynamic updates yet, and hadn't even given any thought to > to the problem of supporting DNSSEC, but we can add those features to the > roadmap as well if there's user demand. > > -- > Evan Hunt -- e...@isc.org > Internet Systems Consortium, Inc.
Thank you, Evan I'd like to add my vote for DNSSEC in DLZ to Christian's one :) -- -- AP
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
