[dns-operations] DS keys for child zones on same server & inline signing

[Evan Hunt]

On Fri, Mar 15, 2013 at 03:03:38PM -0400, Phil Pennock wrote:
> Anyone got a tool that will take a configuration as checked into
> revision control, take the live config, generate a diff and apply that
> as a dynamic update to bring things into sync?

See contrib/zone-edit.sh, in the BIND9 tarball; it does something
along those lines.

But that's also pretty much what inline-signing does internally.

> For determining the current SOA, for increments, I just dig against the
> master auth server and pick something larger.

Note that if you're using inline-signing, then when you query for the
SOA you'll get one from the signed version of the zone, not the raw
version, which will usually have a different serial number.  But it's
usually going to be higher, so it's probably safe to do things this way.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.