Thomas Schulz <sch...@adi.com> wrote: > > Am I correct in thinking that in the case of a hidden master and a chain > of slaves, that the first publicly acessable slave would do the signing > and that in any case only one instance of bind should do the signing?
It is better if the hidden master does the signing, since it is a less exposed system so it is better able to protect the keys. Slave inline signing mode is for situations where the hidden master can't sign for whatever reason. Yes it is normal to sign in only one place. If you don't you are likely to have problems with inconsistent zone serial numbers, and RRSIG times. And you will need a good mechanism to make sure your keys are consistent! Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first. Rough, becoming slight or moderate. Showers, rain at first. Moderate or good, occasionally poor at first. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
