On 1/17/23 4:45 PM, Michael Richardson wrote:
Many people do exactly that.
Sorry, I don't see that as an answer to -- my understanding of -- the OP's question of "Does the primary server that handles the DNSSEC duties need to be not hidden / publicly accessible?"
Specifically what many people do, or not, doesn't translate to a requirement.
In my opinion, this is the best way to do things, and the in-place signing is just a total pain.
Your opinions, such as they are, are independent of the OP's question.I've got an ancient version of BIND managing all of the DNSSEC wherein the master is sort of hidden in that it's listed in the SOA's MNAME, but is not listed as an NS. The MNAME is globally accessible.
I'm sure that I'm overlooking something at the end of a long day, but I can't see anything that prevents the OP from having the primary perform DNSSEC functions while also functioning as a hidden primary role.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
