[dns-operations] DS keys for child zones on same server & inline signing

[Phil Pennock]

On 2013-03-15 at 11:51 -0400, Joe Abley wrote:
> If you're editing the zone manually, be sure to rndc freeze/thaw around your edits.

Thanks, the freeze/thaw was only around updates to some other zone in
the deploy script.  Fixed.

The rest of this is not bind-specific but around policy.

> Really though, using dynamic updates is cleaner.

Anyone got a tool that will take a configuration as checked into
revision control, take the live config, generate a diff and apply that
as a dynamic update to bring things into sync?

I decline to have the core records (not the DNSSEC ones) not live in
version control.

In the serving tree, the master records have never been owned by the
bind runtime user.  Since I'm now serving the auto-generated DNSSEC
records which are owned by the runtime user, that stance is being
relaxed.  I've got the master zones dir mode 1775 with the bind group
being able to create and manage its own files, but not touch the
canonical files as they live checked out.

For determining the current SOA, for increments, I just dig against the
master auth server and pick something larger.

I'm happy to change some of my work practices and the precise mechanics
of how changes are deployed, but I'm not prepared to move away from
being able to diff live configurations against revision-controlled
copies, or forcibly use the revision-controlled copies (with SOA bumps
as needed).

If nobody has tools to let dynamic updates work from flat files in
revision control, I'll script up something, but don't want to reinvent
the wheel if someone has something they recommend?

-Phil