>
>
> the keys are generated on the master but not on the slaves.
> so I don't understand how the slaves can read their zone file which ends in
> ".signed" because they don't have the keys ? (but it's work with dig, i see
> DS with the right ZSK)
>
> Regards
>
> Adrien
>
Because the zone is signed with DNSSEC but not encrypted. DNSSEC is only
providing authentication of the source of the zone, not hiding the contents
(https://www.rfc-editor.org/rfc/rfc4033). For the primary -> secondary zone
transfer, you should setup TSIG authentication if you haven’t already to ensure
that only your secondary can perform a zone transfer
(https://www.rfc-editor.org/rfc/rfc2931 and
https://bind9.readthedocs.io/en/v9_18_9/chapter7.html#tsig).
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users