-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Carsten and all,
sorry for the late reply. On 24.07.14 19:53 Carsten Strotmann wrote: > I'm not aware that BIND 9 can do a ZSK rollover all on its own, it > is however possible to set the timing values on the ZSK key files > in a away that BIND 9 will execute the rollover at the set times. > It is also possible to create a direct successor ZSK from an > existing ZSK. That is exactly what I meant. I prepare the keys and bind does the rollover automatically. > But the creation of the new ZSK, as well as setting the timing > values, need to be done outside BIND 9. It is relaive > strightforward to script this in a cron job, and there are > ready-made tools that can help. I'll dig into scripting that. But I found Michael W Lucas' DNSSEC Mastery pretty good read on the process.. > In the same cron job, it is then possible to create a new NSEC3 > salt and inject that into the zone. So basically BIND cannot do that for me, each time it does a key rollover. That's what I wanted to know. > Doing so at the exact moment of the ZSK key rollover (to prevent > unecessary re-generation of all RRSIGs) is tricky. > > If the zone is no too big (e.g. re-generating all RRSIGs is not a > problem), I would recommend to roll the salt in the same intervals, > but independent from the ZSK rollover. I'll stick with this, then. Regards, Johannes - -- Debian est omnis divisa in partes tres, quarum unam nominari Stable, aliam Testing, tertiam qui ipsorum lingua Sid, nostra Unstable appellantur. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with SeaMonkey - http://www.enigmail.net/ iEYEARECAAYFAlPWd00ACgkQzi3gQ/xETbJYRwCaAp4UiwsIlIp2zjq/w0ImOJjC YoUAnjTMjMJ/wbkhKR1oj7iJS1p1H6G7 =qHrR -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
