do not stupidly delete ZSK files
David Newman
dnewman at networktest.com
Thu Jul 30 23:47:03 UTC 2015
On 7/30/15 10:37 AM, Evan Hunt wrote:
> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote:
>> After that second procedure (and also chown'ing the keyfiles to the bind
>> user), the command 'dig +dnssec +multi dnskey example.com' gives
>> different results depending on which nameserver gets the query:
>>
>> Hidden primary (not authoritative for this zone): Key still in zone
>
> ... sorry, I'm confused. Which of the servers is doing the signing?
This hidden primary nameserver does the signing. The zones I've created
list only the secondary nameservers -- the ones that get zone transfers
from this hidden primary -- as authoritative.
Most zones have four authoritative nameservers, only one of which I
manage. Of the three I don't manage, I'm pretty sure at least two have
no DNSSEC-specific configuration -- a hint that any DNSSEC records they
serve come from this hidden primary.
Make sense? If not, please let me know what other info you need.
dn
More information about the bind-users
mailing list