[dns-operations] dnssec via dynamic updates
marka at isc.org
Fri Mar 18 21:25:39 UTC 2016
In message <CAE_wXn3iFoqZkz7EDcvigwWQe=Ynv94MDMmKP0brtRdXk51RDQ at mail.gmail.com>, Peter Andreev writes
> Thank you, I'll take a closer look at PowerDNS.
> Brett, Evan,
> The signer is under third party management and I have no access to it.
> After signing they upload a zone file to server under my command. I
> can negotiate for file format, will it be for example a zone file or
> food for nsupdate or whatever, but changing the way how we interact is
I'm still not clear why you need to do UPDATE. You need to compute
a delta and send it in a in a single UPDATE message which is limited
to 64K. Named's ixfr-from-differences can compute the delta and
is not limited to a 64K delta size.
Named does simple secure update which essentially says named is
managing the DNSSEC records. It wouldn't be hard to add a option
to disable all the extra work simple secure update does.
> 2016-03-18 20:29 GMT+03:00 Evan Hunt <each at isc.org>:
> > On Fri, Mar 18, 2016 at 03:51:44PM +0300, Peter Andreev wrote:
> >> Unfortunately xfr is not an option. The main point is that public server
> >> should know nothing about signer and vise versa.
> > I'm not clear why *XFR isn't an option for this? You don't need to have
> > your hidden master listed in the NS RRset where the public can see it; you
> > only need it in the name server configuration. (In BIND terms, the signer
> > needs to be listed in the "masters" option on the slave(s), and the
> > slave(s) must be in the "allow-transfer" ACL on the signer.)
> > --
> > Evan Hunt -- each at isc.org
> > Internet Systems Consortium, Inc.
> Is there any problem Exterminatus cannot solve? I have not found one yet.
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> dns-jobs mailing list
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations