tech-userlevel archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: CVS commit: src/etc/rc.d

Tonnerre LOMBARD <> writes:
> On Sun, Aug 09, 2009 at 09:41:00AM -0400, Perry E. Metzger wrote:
>> >> So don't do that.
>> >
>> > Don't do what?
>> Don't do the DNS signature generation at the same moment that you bring
>> up the name server to provide resolution services locally. There is no
>> reason that you have to do things that way (and in fact, there are a lot
>> of reasons not to.) BTW, I don't believe our current scripts are set up
>> to do that anyway, so this is moot.
> The zone provider has to generate a DNSSEC signature at the moment it
> signals people to reload the zone.

And why would it "have" to signal people to reload a zone that hadn't

You have to sign zone files when they change or when a signature
expires. You don't have to do it at boot time. You don't even have to do
it on the same machine that is serving the zones. I suggest reading the


Home | Main Index | Thread Index | Old Index