On 02/01/2017 01:02 AM, Daniel Reich wrote:
I have a script to resign all DNS zones every two weeks.
I don't think I can answer the question about why your script is failing
per se, but I can say that there are some flaws in the approach that
your script is taking. Primarily, if you delete your old key when you
create a new one, any external host that has any record from your zone
in its cache will consider your zone to be invalid and will be unable to
resolve new records (or any records? I'm unclear on that, actually) for
the duration of your TTL. Key rotation is not instantaneous.
I'm actually working on a key rotation management job, myself:
https://bitbucket.org/gordonmessmer/update-dns-keys/src
I've been running it for a while, and I'm comfortable with the ZSK
rotation segment. I have not yet tested the KSK rotation. If you'd
like to help, please send patches.
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
