9 Čec
2014
9 Čec
'14
15:45
Dne 8.7.2014 14:24, chrysn napsal(a):
hello,
i'm operating a small hidden master server (four zones spread out to two
external NS servers), and want to introduce dnssec.
so far, i have kept my zone files in /etc under version control, but now
knot starts overwriting them, which is kind of important because of the
serial number increments, but also removes file structure, and comments
and generally messes with the changelog.
Hello chrysn,
there is another possible solution: Switch zones to dynamic mode and
copy zone files to /var/lib. On every update of the unsigned zone files
in /etc, issue [nsupdate][1] which will compare the unsigned file in
/etc with current zone file in /var/lib (ignoring DNSSEC-related RRs)
and issue DNS UPDATE messages to apply changes from unsigned zone to
signed zone.
[1]: http://dotat.at/prog/nsdiff/
That way you can keep your unsigned files well organised and documented
yet you don't have to regenerate all the signatures on every zone file
change.
I haven't tried this in practice but I think it is the best possible
deployment scenario.
Cheers,
Ondřej Caletka