Hello All.
I have a pair of ISC BIND 9.12.3-P1 servers that are configured as slaves to a
pair of Hidden Master servers. The Hidden Masters are a proprietary product
and unfortunately when used to sign the zones, the SOA records are not
populated as expected. As a result, I was looking into signing the zones
within ISC BIND instead. Reviewed the literature, came up with a plan and the
required configuration changes. However, things are not proceeding as I had
hoped...
If I include required statements within the zone options BIND complained that
update-policy local is not permitted in a zone of type slave (and failed to
start):
key-directory "keys/externals/{{ zone.zonename }}";
inline-signing yes;
auto-dnssec maintain;
update-policy local;
So I switched it out for the allow-update { localhost; };, and BIND complained
that allow-update is not permitted in a zone of type slave (and failed to
start).
So I changed my zone type from slave to master (recall that these BIND
instances are intended to be slaved off of the Hidden Masters), and BIND
complained that masters statements were not permitted in zones of type master
(meaning that updates would not be accepted).
Is there a way for me to sign the zones on the slave servers, even though I
intend to provision content into those same zones on the proprietary Hidden
Masters?
Thanks.
Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
