Thomas Goldberg <t.goldber...@gmail.com> wrote: > Essentially we're looking for a way to inject DS records into a slave > zone (transfered from another DNS server).
One way to do this is with my nsdiff script which was written to do a similar job to inline-signing mode for older versions of BIND. http://dotat.at/prog/nsdiff/ To set it up, you configure your BIND server as a master (instead of as a slave) with dynamic updates and automatic signing turned on. You run nsdiff in "bump-in-the-wire" mode which takes a zone transfer from a hidden master (e.g. your windows server) and injects the changes into the signer (BIND) using nsupdate. To take control of DS records, use an option to make nsdiff ignore them: nsdiff -i '^\S+\s+\d+\s+IN\s+DS\s+' Then you can use nsupdate to inject the DS records into BIND. Then when you run nsdiff it will propagate non-DNSSEC changes from Windows to BIND, but it will leave the DS records alone. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Trafalgar: Cyclonic in northwest, otherwise mainly northerly or northwesterly 5 or 6. Slight or moderate. Showers in northwest. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
