You want BIND 9.9 (currently 9.9.0rc1) with inline signing. This will do exactly what you want, I think.
--Michael On Jan 11, 2012, at 9:31 AM, Howard Leadmon wrote: > > OK, in an attempt to start using DNSSEC over here, I suppose I bit myself > in the backside, and even spending some time using googlefu I still haven't > quite figured this all out. > > I am currently running the current BIND 9.8.1, and setup to support DNSSEC. > After reading around a bit, I saw that setting auto-dnssec in the config > would read in the keys and sign the zones automatically, this seemed in > theory to be perfect, so I configured it this way. After that the domains > were signed, and going to places like the verisign debugger showed my domain > was happily secured with DNSSEC. > > Then I go to make a change to my DNS file, whoa was I in for a shock, as > apparently BIND took my nice text file for DNS I have edited for ages, and > converted it into a full signed zone. Try and edit that file, and if > course it bitches about it no longer matching the .jnl file and drops the > zone. This sure makes it hard to update things, well the way I am used to > doing it. > > So I guess my million dollar question is, I want to use DNSSEC (it's > actually working now), but I want to be able to edit my zone files the way I > always have for many years, and just have BIND sign the zones with the keys > and update as needed to keep DNS running smoothly. Is there some easy way > to do this, some scripts someone has made, or some documentation to walk me > through accomplishing this? > > I can't believe there aren't a lot of others that have run DNS just as I > have for years and years, and just want a nice simple way to keep using BIND > and implementing the new security for the domains I manage. I have googled > till I have about turned blue, and maybe I am missing it, but I have seen > some very complex keymanagement systems and so forth, I have no need for > anything that complex, so figure I am missing the solution that is hiding > someplace. Any pointers?? > > > --- > Howard Leadmon > > > > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
