On Fri, Feb 24, 2012 at 04:48:14AM +0000, vinny_abe...@dell.com wrote: > I kind of had the same thought... If ISC had a DNS outage due to expired > signatures of a zone, what chance do I have in successfully deploying and > maintaining DNSSEC for my zones?
Somewhat ironically, the part of ISC responsible for maintaining those particular reverse zones isn't using the latest ISC software to do it. DNSSEC has gotten *much* easier over the past few years. (I have half a dozen signed domains and I haven't had to think about them since I set the server up last April--it just works.) But ISC was one of the first adopters of DNSSEC, and at that time 'dnssec-signzone' was the only tool available. We're still using some of the scripts that were written at that time, because the world is full of broken things to fix, taking priority over things that mostly work. However, I believe the Ops department is planning to switch over to BIND 9.9 fairly soon, in order to take advantage of the new inline-signing feature (which in fact was largely developed at their behest). https://kb.isc.org/article/AA-00626/109/Inline-Signing-in-ISC-BIND-9.9.0-Examples.html -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
