Changes between Version 1 and Version 2 of DnsecAuthoritativeServers


Ignore:
Timestamp:
May 29, 2012, 1:54:30 AM (5 years ago)
Author:
jaspain
Comment:

--

Legend:

Unmodified
Added
Removed
Modified
  • DnsecAuthoritativeServers

    v1 v2  
    1 = DNSSEC-Enabled Authoritative Servers =
    2 [[PageOutline]]
    3 == Introduction and Scenario Description ==
    4 While the BIND 10 system does not yet support DNSSEC signing of zone files nor DNSEC key management, the recent release
    5 of BIND 9.9.0 makes this scenario possible. Inline signing is a new feature in BIND 9.9.0 wherein a BIND 9.9.0 server
    6 can receive unsigned zone data via zone transfer, sign it automatically, and make the signed zone data available for
    7 query or outgoing zone transfer. BIND 9.9.0 takes care of DNSSEC key maintenance as well, including automatic key
    8 rollover. Incoming updates to the unsigned zone data are processed automatically and reflected in the outgoing signed
    9 zone data.
    10 
    11 In this scenario a BIND 10 server is used as a hidden master for one or more zones in unsigned form. It is configured
    12 to direct outgoing zone transfers to a BIND 9.9.0 hidden slave server, which is used for DNSSEC inline signing. The
    13 BIND 9.9.0 server in turn directs outgoing zone transfers to one or more additional BIND 10 servers. The latter are
    14 used as the publicly accessible authoritative servers for the zones in question. All of the zone transfers can be
    15 secured with TSIG if desired.
    16 
    17 Although this ad-hoc design is perhaps unneccessarily complex, it does provide the opportunity to test the ability of
    18 BIND 10 to serve DNSSEC signed data in a production environment, including NSEC3 closest-encloser proofs, and to
    19 evaluate BIND 10’s performance in this arena.
    20 
    21 == Configuration Details ==
    22 
    23 == System Administration ==
    24 
     1Delete this page with misspelled title.