Latitude <arlendelcasti...@gmail.com> wrote: > > I have read in Michael W. Lucas' DNSSEC Mastery book that BIND 9.9 and newer > can automatically sign zones and refresh signatures (RRSIGs), but older > versions cannot (p. 53).
That isn't entirely correct: BIND has had automatic signing since 9.7 (if I remember correctly - it has been a long time). You just need to set `auto-dnssec maintain;` and (for simple cases) `update-policy local;`. See section 4.9.3 on page 26 of https://ftp.isc.org/isc/bind9/9.8.2/doc/arm/Bv9ARM.pdf Also see my blog about DNSSEC in BIND 9.8 from 6 years ago (thanks Red Hat for keeping such ancient relics relevant for so long) http://fanf.livejournal.com/112476.html What was new in 9.9 was inline-signing mode. Shameless plug: you can get something very like inline-signing mode for antediluvian versions of BIND using my `nsdiff` program http://dotat.at/prog/nsdiff/ Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Humber, Thames: East or southeast, veering southwest later, 4 or 5, occasionally 6 later in Thames. Smooth or slight, occasionally moderate later in Thames. Fair. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
