moving DNSSEC to a hidden master

2013-10-01 Thread David Newman
Is there a recommended order of operations when moving DNSSEC-enabled nameservers to a hidden-master setup? I'm hoping it's just as simple as moving all these files into place on the hidden master: *.key *.private managed-keys.bind *.jbk *.jnl *.signed *.signed.jnl If not, what do I need to do?

Re: moving DNSSEC to a hidden master

2013-10-01 Thread David Newman
On 10/1/13 2:16 PM, David Newman wrote: > Is there a recommended order of operations when moving DNSSEC-enabled > nameservers to a hidden-master setup? Actually, this is really a more general question: Is there a recommended order of operations when migrating zones between any two DNSSEC-enabled n

Re: moving DNSSEC to a hidden master

2013-10-01 Thread Alan Clegg
On Oct 1, 2013, at 8:27 PM, David Newman wrote: > On 10/1/13 2:16 PM, David Newman wrote: >> Is there a recommended order of operations when moving DNSSEC-enabled >> nameservers to a hidden-master setup? > > Actually, this is really a more general question: Is there a recommended > order of ope

Re: moving DNSSEC to a hidden master

2013-10-01 Thread Sten Carlsen
On 02/10/13 02.47, Alan Clegg wrote: > On Oct 1, 2013, at 8:27 PM, David Newman wrote: > >> On 10/1/13 2:16 PM, David Newman wrote: >>> Is there a recommended order of operations when moving DNSSEC-enabled >>> nameservers to a hidden-master setup? >> Actually, this is really a more general questi

Re: moving DNSSEC to a hidden master

2013-10-01 Thread Alan Clegg
On Oct 1, 2013, at 9:04 PM, Sten Carlsen wrote: > > On 02/10/13 02.47, Alan Clegg wrote: >> On Oct 1, 2013, at 8:27 PM, David Newman >> wrote: >> >> >>> On 10/1/13 2:16 PM, David Newman wrote: >>> Is there a recommended order of operations when moving DNSSEC-enabled nameservers t

Re: moving DNSSEC to a hidden master

2013-10-01 Thread Mark Andrews
As Alan said copy the .key and .private files over. Disable updating on the old master. Transfer the zone contents by setting up as a slave using "masterfile-format text"; or using by using dig. This will give you the most up to date version of the zone. dig axfr zone +onesoa @oldmaster

Recursive server forwarding dynamic updates

2013-10-01 Thread Bojan Tomic
Hi, I'm looking for a way to setup a recursive/forwarding named server to forward dynamic updates. I know this is not something that RFC2136 allows, but wondering if it can be done or someone else needs this functionality? Basically, instead of returning NOTAUTH a recursive server (or forwarding)

Re: Recursive server forwarding dynamic updates

2013-10-01 Thread Phil Mayers
On 10/02/2013 07:51 AM, Bojan Tomic wrote: Hi, I'm looking for a way to setup a recursive/forwarding named server to forward dynamic updates See "allow-update-forwarding" in the ARM. Obviously you will lose source IP / TSIG key info, so will need to perform access checks at the forwarding se