Hi,
No.
You don't need DNSSEC maintenance on your secondary zones if you already
have set it on your primary zones. So
zone "***" {
type secondary;
primaries { ***; };
file "***.db";
};
is enough.
Best regards,
Matthijs.
On 12/9/22 09:58, adrien sipasseuth wrote:
Hi Matthijs,
thank you, so just to confirm something like this should work :
Master :
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**************" {
type master;
file "/*******/*****.db";
notify yes;
key-directory "/******/******/";
inline-signing yes;
dnssec-policy test;
};
And my Slaves :
zone "**************" {
type slave;
masters { ************** ; };
file "/ **************/ ************** / ************** .db";
key-directory "/ ************** / ************** / ************** .fr";
auto-dnssec maintain;
inline-signing yes;
};
am i rigth ?
Regards
Adrien
Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking <matth...@isc.org
<mailto:matth...@isc.org>> a écrit :
Hi Adrien,
You should **not** copy the dnssec-policy configuration to your
secondaries. They transfer in the signed zone from the primary server.
Best regards,
Matthijs
On 12/9/22 09:24, adrien sipasseuth wrote:
> Hello,
>
>
> Lokking for some guidance, sorry if i use the wrong way to contact
> community user support.
>
>
> I would like to set up DNSSEC using KASP.
>
> I have an architecture with a master and several slaves.
>
> Here is my policy and zone configuration:
>
> dnssec-policy "test" {
>
> keys {
>
> ksk lifetime P3D algorithm rsasha256 2048;
>
> zsk lifetime P2D algorithm rsasha256 1024;
>
> };
>
> };
>
> zone "**************" {
>
> type master;
>
> file "/*******/*****.db";
>
> notify yes;
>
> key-directory "/******/******/";
>
> inline-signing yes;
>
> dnssec-policy test;
>
> };
>
>
> after restart, it seems ok, keys are generated on master, no
errors in
> logs etc.
>
> I copied this policy, the keys and the zone configuration on each
of my
> slaves then I restarted my slaves everything seems ok (in the logs).
>
> except that now I wonder if the keys on each of my slaves will be
> generated independently from those of my master.
>
>
> In this case, I will end up with different keys for the same zone
> depending on the slave1 / slave2 etc / master. I suppose that it
is not
> good because we should have for the same zone, a pair of keys and
this
> one should be copied on each slaves?
>
> There some tuto / documentation about how to setup KASP in master /
> slaves topology ?
>
>
> Sorry if it's not enough clear...
>
>
> Thank you
>
> *Adrien SIPASSEUTH*
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users> to unsubscribe
from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
<https://www.isc.org/contact/> for more information.
bind-users mailing list
bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>
https://lists.isc.org/mailman/listinfo/bind-users
<https://lists.isc.org/mailman/listinfo/bind-users>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
