Hi Erik, whatever you did below is complicated, unnecessary, and prone to break.
Just create one hidden primary that will do the signing and two to three public secondaries that are independent of each other. Then setup DNSSEC in a way that it’s ok for the primary to be down for a specified period of time, so you don’t have to wake up in the middle of the night, e.g. the signatures should be long enough and be resigned at least a weak before expiration. The DNS itself can handle a failure of the secondaries itself. Sure, if you want to be fancy, you can do a local VRRP at each secondary site, or use anycast for each primary, but since you are hosting “example.com” I don’t think it matters much. Ondrej -- Ondřej Surý — ISC (He/Him) My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours. > On 27. 9. 2024, at 4:27, TErik Ashfolk <ate...@outlook.com> wrote: <snip> -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
