Hi Adrien,
You should **not** copy the dnssec-policy configuration to your
secondaries. They transfer in the signed zone from the primary server.
Best regards,
Matthijs
On 12/9/22 09:24, adrien sipasseuth wrote:
Hello,
Lokking for some guidance, sorry if i use the wrong way to contact
community user support.
I would like to set up DNSSEC using KASP.
I have an architecture with a master and several slaves.
Here is my policy and zone configuration:
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**************" {
type master;
file "/*******/*****.db";
notify yes;
key-directory "/******/******/";
inline-signing yes;
dnssec-policy test;
};
after restart, it seems ok, keys are generated on master, no errors in
logs etc.
I copied this policy, the keys and the zone configuration on each of my
slaves then I restarted my slaves everything seems ok (in the logs).
except that now I wonder if the keys on each of my slaves will be
generated independently from those of my master.
In this case, I will end up with different keys for the same zone
depending on the slave1 / slave2 etc / master. I suppose that it is not
good because we should have for the same zone, a pair of keys and this
one should be copied on each slaves?
There some tuto / documentation about how to setup KASP in master /
slaves topology ?
Sorry if it's not enough clear...
Thank you
*Adrien SIPASSEUTH*
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
