> 
> 
> the keys are generated on the master but not on the slaves.
> so I don't understand how the slaves can read their zone file which ends in 
> ".signed" because they don't have the keys ? (but it's work with dig, i see 
> DS with the right ZSK)
> 
> Regards
> 
> Adrien
> 

Because the zone is signed with DNSSEC but not encrypted.  DNSSEC is only 
providing authentication of the source of the zone, not hiding the contents 
(https://www.rfc-editor.org/rfc/rfc4033).  For the primary -> secondary zone 
transfer, you should setup TSIG authentication if you haven’t already to ensure 
that only your secondary can perform a zone transfer 
(https://www.rfc-editor.org/rfc/rfc2931 and 
https://bind9.readthedocs.io/en/v9_18_9/chapter7.html#tsig).
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to