I use an unsigned hidden master I maintain from inside my local network.
This feeds a secondary server where the signing is done and it acts as
a master to other secondaries. Works well. Started as an experiment
and works well enough I've left it alone.
Hidden master >> DNSSEC signing server (slave to hidden, master to
secondariers) >> secondaries
Here's a config block
zone example.com {
type slave;
masters { a.b.c.d key master-dns01; };
file "slave/example.com.db";
key-directory "keys/example.com";
dnssec-policy domain-policy;
inline-signing yes;
zone-statistics yes;
};
If you're interested in more specifics, I'm happy to share. Ping me
off-list
Eric
On 2023-01-21 19:56, Randy Bush wrote:
hi mark
hidden primary can not sign. can the public primary which fetches
from it, and happens to be primary for the parent zone, do bitw
signing?
In-line signing is the concept you are looking for and yes named
supports it.
i know bind9 does bitw. happy to learn it is called inline-signing.
sorry not to have been clear. i want to sign a zone where the server is
secondary. i.e. may i use
zone "foo.bar" {
type slave;
file "secondary/bar.foo"; // yes, i like dir list to alpha sort
...
auto-dnssec maintain;
inline-signing yes;
}
looking at example 2 in https://kb.isc.org/docs/aa-00626, i think that
this will work, i.e. there will be a `secondary/bar.foo.signed` from
which i can extract the DS needed by the parent zone, the server will
send notifies etc.
randy--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
