Jordan Larson via bind-users wrote: > Was I wrong to enable “inline-signing yes” for my slave zones? I would assume > each slave would need its own DS key? Can I do that?
That sounds very wrong. Your zone shall have one DNSsec key, or set of keys, that is the same on all slave servers. A client shall see the same set of DNSKEY records regardless of which DNS server it queries. If you sign the zone on the master, then you shouldn't sign it again on the slaves. The slaves shall receive RRSIG records from the master just like any other records, and serve them to clients. Only the master has the secret keys. If the master can't sign for some reason, then you can do "bump in the wire" signing: A single signing server receives the unsigned zone from the hidden master over a secure link, signs it, and distributes the signed zone to multiple slaves. Only the signing server has the secret keys. That way there's still a single consistent set of DNSKEY records. If you need to give different answers to different clients, then you configure separate views, and you must ensure that each client sees the same view – including the same keys – on all DNS servers it can query. Björn Persson
pgpE01Zbo9k0D.pgp
Description: OpenPGP digital signatur
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
