If my “understanding” of your desire is wrong, I do apologize for creating even more noise rather than answering it.
I believe that your problem is only a matter of “semantics”: the “terms” used do not sync-up with the “meanings”. My best guess is that you want the “master copy & signing” of your zones hidden, but still want (at least 2) Authoritative Servers answering the (DNSsec) queries. That is called the “Hidden-Master” implementation. 1. You set up a server capable of “sec” signing, put it somewhere in the private part of your network, load it with your zone files and sign them all, set it to transfer the zones out to the Primary. This one is called the Hidden “Master”. Nobody says that it has to serve the public; it only has to provide zone transfers to the Primary (only). Not putting the FQDN of your Master in the zone file, and firewall it out from everyone except the Primary, is the best way to “hide”. 2. You set up a “Primary” Authoritative Server (in-house or out-sourced), set it to get the (signed) zones "transferred in" from the Master, set it to "transfer out" the (signed) zones to the Secondaries , and service the queries from the public. You do it by cheating; configuring the Primary to think itself as a secondary to the Master, but at the same time configuring it to still be the primary to the Secondaries. Nobody says anything about where the Primary gets the zone information from, or that it must carry the (unsigned) master copies and has to sign them by itself; it only has to service the queries to the public, and provide the zone transfers to the Secondaries (only). 3. You set 1 or more Secondary Authoritative Servers (in-house or out-sourced), set it to get the (signed) zones "transferred in" from the Primary, and service the queries from the public. Nobody says that zones cannot be “chained-transferred”. 4. You MUST use the FQDN of the Primary in your SOA Records, NOT the Master. So, minimum configuration: 1 Master, 1 Primary, 1 Secondary. Add Secondaries to taste. Resolvers not included. Cheers, Pirawat. > ---------- Forwarded message ---------- > From: E R <fasteddieinaus...@gmail.com> > To: bind-users@lists.isc.org > Cc: > Bcc: > Date: Tue, 17 Jan 2023 17:28:57 -0600 > Subject: DNSSEC With Primary Hidden - Clarifying Question from > Documentation > I am planning on implementing the current version of BIND to replace the > aging, undocumented authoritative servers I inherited. I want to hide the > primary server on our internal network and have two secondary servers be > publicly available. While reading the DNSSEC Guide > <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes > it seems to imply that I cannot have a hidden primary that handles all the > DNSSEC stuff. > > Does the primary server that handles the DNSSEC duties not be hidden? Or > were they just illustrating that you do not need to touch your hidden > primary server and just add one that does the DNSSEC duties? > >
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
