I am running through DNSSEC in Six Minutes (http://www.isc.org/sw/bind/docs/DNSSEC_in_6_minutes.pdf) for cheswick.com and affiliated domains.  This is something we have to do to really deal with the recent emergence of DNS cache poisoning.

Alas, it is taking a lot longer than six minutes, and some of the directions aren’t quite clear enough.  This zone signing stuff requires automation of DNS master files of the sort I used to do with the makefile back at the Labs 15 years ago.  I have been running cheswick.com with a small hand-edited config file, but this has to change.

I wonder if I will break this enough to destroy cheswick.com for Labor Day weekend, coming home to a fun sysadmin problem.  In any case, this is good practice to keep my hand in at sysadmin issues.  I don’t run research.att.com any more. (This is probably a good thing.)

Do I have to recompile bind 9 in the system?  Use the ports version?  Google hits are not helping.  Time to go to the beach and read something trashy.