Hi,
without DNS UPDATE OpenDNSSEC can be configured to read an unsigned zone
file, sign it and reload the zone [1]. With DNS UPDATE it gets more
complicated. It seems that you have to run a hidden primary that
receives that updates and transfers the unsigned zones to OpenDNSSEC
which in turn transfers the zones to a slave server. There are some
alternatives if you manipulate zone files with custom scripts.
While a hidden primary may be acceptable and zone transfers are probably
the most reliable solution, it is an overkill for my use case and adds
to much complexity. I could use Knot DNS to sign the zones, but it
doesn't automate KSK rollovers and I need to execute a custom binary to
update the keys at the registrar which is also not supported. Perhaps
Knot DNS could remove all DNSSEC RRs before it transfers the zone to
OpenDNSSEC, but it's kind of a hack and I'm not sure if this a good idea.
OpenDNSSEC also delayed support for dynamic updates to 2.x, which means
2014 and or later. So this is not an option.
Does anyone have suggestions to solve this problem?
Regards,
Matthias-Christian
[1]
http://www.bortzmeyer.org/opendnssec-nsd.html