[KASP] setup KASP in master / slave architecture
Hello,
Lokking for some guidance, sorry if i use the wrong way to contact community
user support.
I would like to set up DNSSEC using KASP.
I have an architecture with a master and several slaves.
Here is my policy and zone configuration:
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**" {
type master;
file "/***/*.db";
notify yes;
key-directory "/**/**/";
inline-signing yes;
dnssec-policy test;
};
after restart, it seems ok, keys are generated on master, no errors in logs
etc.
I copied this policy, the keys and the zone configuration on each of my
slaves then I restarted my slaves everything seems ok (in the logs).
except that now I wonder if the keys on each of my slaves will be generated
independently from those of my master.
In this case, I will end up with different keys for the same zone depending
on the slave1 / slave2 etc / master. I suppose that it is not good because
we should have for the same zone, a pair of keys and this one should be
copied on each slaves?
There some tuto / documentation about how to setup KASP in master / slaves
topology ?
Sorry if it's not enough clear...
Thank you
*Adrien SIPASSEUTH*
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [KASP] setup KASP in master / slave architecture
Hi Adrien,
You should **not** copy the dnssec-policy configuration to your
secondaries. They transfer in the signed zone from the primary server.
Best regards,
Matthijs
On 12/9/22 09:24, adrien sipasseuth wrote:
Hello,
Lokking for some guidance, sorry if i use the wrong way to contact
community user support.
I would like to set up DNSSEC using KASP.
I have an architecture with a master and several slaves.
Here is my policy and zone configuration:
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**" {
type master;
file "/***/*.db";
notify yes;
key-directory "/**/**/";
inline-signing yes;
dnssec-policy test;
};
after restart, it seems ok, keys are generated on master, no errors in
logs etc.
I copied this policy, the keys and the zone configuration on each of my
slaves then I restarted my slaves everything seems ok (in the logs).
except that now I wonder if the keys on each of my slaves will be
generated independently from those of my master.
In this case, I will end up with different keys for the same zone
depending on the slave1 / slave2 etc / master. I suppose that it is not
good because we should have for the same zone, a pair of keys and this
one should be copied on each slaves?
There some tuto / documentation about how to setup KASP in master /
slaves topology ?
Sorry if it's not enough clear...
Thank you
*Adrien SIPASSEUTH*
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [KASP] setup KASP in master / slave architecture
Hi Matthijs,
thank you, so just to confirm something like this should work :
Master :
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**" {
type master;
file "/***/*.db";
notify yes;
key-directory "/**/**/";
inline-signing yes;
dnssec-policy test;
};
And my Slaves :
zone "**" {
type slave;
masters { ** ; };
file "/ **/ ** / ** .db";
key-directory "/ ** / ** / ** .fr";
auto-dnssec maintain;
inline-signing yes;
};
am i rigth ?
Regards
Adrien
Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking a écrit :
> Hi Adrien,
>
> You should **not** copy the dnssec-policy configuration to your
> secondaries. They transfer in the signed zone from the primary server.
>
> Best regards,
>
> Matthijs
>
>
> On 12/9/22 09:24, adrien sipasseuth wrote:
> > Hello,
> >
> >
> > Lokking for some guidance, sorry if i use the wrong way to contact
> > community user support.
> >
> >
> > I would like to set up DNSSEC using KASP.
> >
> > I have an architecture with a master and several slaves.
> >
> > Here is my policy and zone configuration:
> >
> > dnssec-policy "test" {
> >
> > keys {
> >
> > ksk lifetime P3D algorithm rsasha256 2048;
> >
> > zsk lifetime P2D algorithm rsasha256 1024;
> >
> > };
> >
> > };
> >
> > zone "**" {
> >
> > type master;
> >
> > file "/***/*.db";
> >
> > notify yes;
> >
> > key-directory "/**/**/";
> >
> > inline-signing yes;
> >
> > dnssec-policy test;
> >
> > };
> >
> >
> > after restart, it seems ok, keys are generated on master, no errors in
> > logs etc.
> >
> > I copied this policy, the keys and the zone configuration on each of my
> > slaves then I restarted my slaves everything seems ok (in the logs).
> >
> > except that now I wonder if the keys on each of my slaves will be
> > generated independently from those of my master.
> >
> >
> > In this case, I will end up with different keys for the same zone
> > depending on the slave1 / slave2 etc / master. I suppose that it is not
> > good because we should have for the same zone, a pair of keys and this
> > one should be copied on each slaves?
> >
> > There some tuto / documentation about how to setup KASP in master /
> > slaves topology ?
> >
> >
> > Sorry if it's not enough clear...
> >
> >
> > Thank you
> >
> > *Adrien SIPASSEUTH*
> >
> >
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: [KASP] setup KASP in master / slave architecture
Hi,
No.
You don't need DNSSEC maintenance on your secondary zones if you already
have set it on your primary zones. So
zone "***" {
type secondary;
primaries { ***; };
file "***.db";
};
is enough.
Best regards,
Matthijs.
On 12/9/22 09:58, adrien sipasseuth wrote:
Hi Matthijs,
thank you, so just to confirm something like this should work :
Master :
dnssec-policy "test" {
keys {
ksk lifetime P3D algorithm rsasha256 2048;
zsk lifetime P2D algorithm rsasha256 1024;
};
};
zone "**" {
type master;
file "/***/*.db";
notify yes;
key-directory "/**/**/";
inline-signing yes;
dnssec-policy test;
};
And my Slaves :
zone "**" {
type slave;
masters { ** ; };
file "/ **/ ** / ** .db";
key-directory "/ ** / ** / ** .fr";
auto-dnssec maintain;
inline-signing yes;
};
am i rigth ?
Regards
Adrien
Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking > a écrit :
Hi Adrien,
You should **not** copy the dnssec-policy configuration to your
secondaries. They transfer in the signed zone from the primary server.
Best regards,
Matthijs
On 12/9/22 09:24, adrien sipasseuth wrote:
> Hello,
>
>
> Lokking for some guidance, sorry if i use the wrong way to contact
> community user support.
>
>
> I would like to set up DNSSEC using KASP.
>
> I have an architecture with a master and several slaves.
>
> Here is my policy and zone configuration:
>
> dnssec-policy "test" {
>
> keys {
>
> ksk lifetime P3D algorithm rsasha256 2048;
>
> zsk lifetime P2D algorithm rsasha256 1024;
>
> };
>
> };
>
> zone "**" {
>
> type master;
>
> file "/***/*.db";
>
> notify yes;
>
> key-directory "/**/**/";
>
> inline-signing yes;
>
> dnssec-policy test;
>
> };
>
>
> after restart, it seems ok, keys are generated on master, no
errors in
> logs etc.
>
> I copied this policy, the keys and the zone configuration on each
of my
> slaves then I restarted my slaves everything seems ok (in the logs).
>
> except that now I wonder if the keys on each of my slaves will be
> generated independently from those of my master.
>
>
> In this case, I will end up with different keys for the same zone
> depending on the slave1 / slave2 etc / master. I suppose that it
is not
> good because we should have for the same zone, a pair of keys and
this
> one should be copied on each slaves?
>
> There some tuto / documentation about how to setup KASP in master /
> slaves topology ?
>
>
> Sorry if it's not enough clear...
>
>
> Thank you
>
> *Adrien SIPASSEUTH*
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users
to unsubscribe
from this list
ISC funds the development of this software with paid support
subscriptions. Contact us at https://www.isc.org/contact/
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
