Hi, Ok, I got confused, no need for the keys on the slavs actually.
On the other hand, my slaves should generate the .signed, .signed.jnl and .jbk files of my zones, no? currently it is not my case, should I copy them from the master? moreover, when I test a "dig A" I don't have the associated RRSIG when I do my "dig A" on a slave while on the master I do. Regards, Adrien Le lun. 12 déc. 2022 à 12:59, Darren Ankney <darren.ank...@gmail.com> a écrit : > > > the keys are generated on the master but not on the slaves. > so I don't understand how the slaves can read their zone file which ends > in ".signed" because they don't have the keys ? (but it's work with dig, i > see DS with the right ZSK) > > Regards > > Adrien > > > Because the zone is signed with DNSSEC but not encrypted. DNSSEC is only > providing authentication of the source of the zone, not hiding the contents > (https://www.rfc-editor.org/rfc/rfc4033). For the primary -> secondary > zone transfer, you should setup TSIG authentication if you haven’t already > to ensure that only your secondary can perform a zone transfer ( > https://www.rfc-editor.org/rfc/rfc2931 and > https://bind9.readthedocs.io/en/v9_18_9/chapter7.html#tsig). > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users