On Fri, Sep 13, 2013 at 12:38:07PM -0300, Diego Mart??nez wrote: > if I use bind with zone options: > auto-dnssec: maintain > inline-signing: yes > > the KSK (public and private parts) must be on-line, right? > Even if not required to sign the DNSKEY records?
The short answer is yes. When you're doing inline signing, the server maintains two copies of the zone internally: the original zone as you configured it (we call it the "raw" zone), and then a second copy that it builds which actually answers queries. When named first loads the raw zone, it's copied over into the signed zone *with any existing DNSSEC records stripped out*. DNSKEYs get brought in from the key directory, the whole thing is signed, NSEC records generated, and finally we're ready to answer queries. Signing the raw zone with an offline KSK before you loaded it would just cause the signed DNSKEY rrset to be stripped before the inline- signing zone got to work. I can think of some ways to kluge around this, but they'd be cumbersome and prone to error. My real recommendation is, if you need an offline KSK, don't use inline signing. (You can still use auto-dnssec.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
