To date, implementing DNSSEC using ISC Bind was manually intensive and complicated at best. Following the general availability of Bind 9.7.0 on 02-16-2010, the task is not nearly as daunting. In this article we review at a high level, some of the new changes, features, and enhancements that have been incorporated in Bind 9.7.0 in support of DNSSEC. This several part series will cover:
- New DNSSEC key metadata and lifecycle maintenance
- Automatic zone signing by "named"
- Simplified configuration of DNSSEC Lookaside validation (DLV)
- Configuring Dynamic DNS using the ddns-confgen or the "local" update-policy option.
- New CLI dnssec-settime and changes to dnssec-keygen, and dnssec-signzone.
- Smart signing: overview of the tools for zone signing and key maintenance.
- Improved PKCS#11 support for using Hardware Security Modules or HSM for storage and signing operations
Bind 9.7.0 can be freely downloaded from https://www.isc.org