Hi Drew, On 26/07/10 23:49, Drew Broadley wrote:
What if the lack of effort is due to limitations on systems with no near future solutions ? (come on Bind10!)
BIND 9.7 has some useful additions to make zone signing easier/more automatic; see, eg, OSCON 2010 slides from an ISC speaker: http://www.oscon.com/oscon2010/public/schedule/detail/14112 (the first half of the slides is intro-to-DNSSEC, the second half is a simple recipe for signing your zone using BIND 9.7). The major limitation seems to be that in order for the turnkey setup to work the system with the original zone information also needs the private keys (both ZSK and KSK), which may or may not be the ideal security partitioning. (I suspect it's probably okay for many if you use a hidden master that's fairly well isolated.) As others have pointed out, with some extra effort (mainly in specifying a bunch of extra flags that are now defaults in BIND 9.7, plus some extra cron jobs) one could do the same thing well back into the BIND 9.x versions. Ewen