Michael Sinatra <mich...@brokendns.net> wrote: > > My only concern is that serial numbers might get out of sync between the > two signers at some point.
You can avoid this problem with `serial-update-method unixtime`. HOWEVER! I think you are going to have problems with inconsistent IXFRs depending on which signer the public authoritative servers talk to. You can work around this by only using AXFR, by turning off `provide-ixfr` and `request-ixfr`. If this is going to be painful for you because of zone sizes, you might consider getting dirty with dnssec-signzone which gives you more control over when signing happens and RRSIG validity periods. I think (depending on the signature algorithm) this will allow you to ensure that the two signers produce the same zones at the same times. But it'll require a fair amount of fiddling to get right. (My recovery plan for a failed signer is to reprovision a replacement from scratch.) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ individual and social justice _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
