Hi Adrien,

You should **not** copy the dnssec-policy configuration to your secondaries. They transfer in the signed zone from the primary server.

Best regards,

Matthijs


On 12/9/22 09:24, adrien sipasseuth wrote:
Hello,


Lokking for some guidance, sorry if i use the wrong way to contact community user support.


I would like to set up DNSSEC using KASP.

I have an architecture with a master and several slaves.

Here is my policy and zone configuration:

dnssec-policy "test" {

     keys {

         ksk lifetime P3D algorithm rsasha256 2048;

         zsk lifetime P2D algorithm rsasha256 1024;

     };

};

zone "**************" {

     type master;

     file "/*******/*****.db";

     notify yes;

     key-directory "/******/******/";

     inline-signing yes;

     dnssec-policy test;

};


after restart, it seems ok, keys are generated on master, no errors in logs etc.

I copied this policy, the keys and the zone configuration on each of my slaves then I restarted my slaves everything seems ok (in the logs).

except that now I wonder if the keys on each of my slaves will be generated independently from those of my master.


In this case, I will end up with different keys for the same zone depending on the slave1 / slave2 etc / master. I suppose that it is not good because we should have for the same zone, a pair of keys and this one should be copied on each slaves?

There some tuto / documentation about how to setup KASP in master / slaves topology ?


Sorry if it's not enough clear...


Thank you

*Adrien SIPASSEUTH*


--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to