Re: [knot-dns-users] Knot DNS, DNS UPDATE and OpenDNSSEC

Hi, without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone file, sign it and reload the zone [1]. With DNS UPDATE it gets more complicated. It seems that you have to run a hidden primary that receives that updates and transfers the unsigned zones to OpenDNSSEC which in turn transfers the zones to a slave server. There are some alternatives if you manipulate zone files with custom scripts. While a hidden primary may be acceptable and zone transfers are probably the most reliable solution, it is an overkill for my use case and adds to much complexity. I could use Knot DNS to sign the zones, but it doesn't automate KSK rollovers and I need to execute a custom binary to update the keys at the registrar which is also not supported. Perhaps Knot DNS could remove all DNSSEC RRs before it transfers the zone to OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea. OpenDNSSEC also delayed support for dynamic updates to 2.x, which means 2014 and or later. So this is not an option. Does anyone have suggestions to solve this problem? Regards, Matthias-Christian [1] http://www.bortzmeyer.org/opendnssec-nsd.html _______________________________________________ knot-dns-users mailing list knot-dns-users(a)lists.nic.cz https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users