22 Říj
2013
22 Říj
'13
7:56
Is there a simpler solution? Is a hidden primary
really the only
possible architecture? Do you think Knot DNS or any DNS server that
accepts dynamic updates can sign zones via OpenDNSSEC differently (e.g.
removing all signatures before it transfers the zones to OpenDNSSEC)?
Are there perhaps alternatives to OpenDNSSEC that can do what I want (I
guess not, except extending Knot DNS to support automatic KSK rollovers,
executing custom scripts and binaries and possibly PKCS#11)?
Hello Matthias,
we are currently preparing a release of Knot DNS 1.4, which will support
automatic DNSSEC signing (as an experimental feature), including DDNS
support. Key rollovers and accesing the keys via PKCS#11 are not
implemented yet but it is on our short term plan.
Our long term plan is to provide the same comfort as OpenDNSSEC does in
Knot, but with all the features OpenDNSSEC is missing.
So I guess your current deployment is the best solution at the moment.
Stay tuned for the next release and we will be glad if you give us some
feedback. :-)
Jan