I’ve seen some pointers about that this will generate a less secure key.But for me the dnssec-keygen would just halt without that parameter.

If you have followed the steps in my previous post you might have your zone database files in /etc/bind/zones.

We will start by copying the files so we have a backup remaining if anything goes wrong: 1.1 Copy the zone database files: We now need to add the key to the bind configuration and tell it what zones that we want it to allow updates on.

I’m not sure how often that bind rewrites these files, but at least it seems to always happen when you stop the bind service.

What I think is more important is to always stop the bind service before making any changes to the database files, otherwise they might be overwritten by bind.

I’ve included the whole contents of my file here and marked the changes that I’ve made in bold.

3.1 Edit /etc/bind/local: # # Make sure to change the ddns update style to interim: ddns-update-style interim; ignore client-updates; # Overwrite client configured FQHNs ddns-domainname ""; ddns-rev-domainname ""; # option definitions common to all supported networks... subnet .0 netmask The dns database files are now being rewritten by the bind service.

The great thing, is that it even works out-of-the-box on some operating systems.

Still, if it doesn't, here are 3 things to care about, so to enable this feature: Note that generally this is not considered a secure setting, and it could be hardened by using key-based authentication, which I won't cover here. I'm curious about the security aspect of this model.

Please let me know if you know of a better solution.

When using the dnssec-keygen to generate the secret key I passed it the parameter “-r /dev/urandom”.

Update: added a new post on configuring Solaris, link below.