> Why not configure regular nameserver on the same host as > opendnssec instead of replicating full functionality in > opendnssec itself?
Well... This may at least partly stem from my local wishes for deployment. I wanted to not touch the current originating name server, and continue to maintain the zones there, and use OpenDNSSEC as a "bump on the wire" between the now hidden master and the new distribution master name server. In other words, I wanted to use "DNS in", and at the same time "DNS out" for transferring respectively unsigned and signed zones. After all, that is supposed to be a supported feature, now, with 1.4? If I want to use the "DNS in" adapter, it seems to me that OpenDNSSEC lays claim to port 53, so that presents an additional challenge if you want to run a real name server in parallel with OpenDNSSEC. (Even though you can configure the signer to listen to another port than 53, I don't immediately see a way for me to configure BIND to send notify messages to another port than port 53.) This quickly devolves into a kludge on top of another kludge, which I am trying my best to avoid. I'm not sure being able to query for SOA for the incoming zone or reply to a SOA query for the outgoing zone needs to be as complicated as implementing a full name server. After all, it is already today listening for and sending notify messages. But then again, what do I know... Best regards, - Håvard _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
