[KASP] setup KASP in master / slave architecture
Darren Ankney
darren.ankney at gmail.com
Mon Dec 12 11:58:50 UTC 2022
>
>
> the keys are generated on the master but not on the slaves.
> so I don't understand how the slaves can read their zone file which ends in ".signed" because they don't have the keys ? (but it's work with dig, i see DS with the right ZSK)
>
> Regards
>
> Adrien
>
Because the zone is signed with DNSSEC but not encrypted. DNSSEC is only providing authentication of the source of the zone, not hiding the contents (https://www.rfc-editor.org/rfc/rfc4033). For the primary -> secondary zone transfer, you should setup TSIG authentication if you haven’t already to ensure that only your secondary can perform a zone transfer (https://www.rfc-editor.org/rfc/rfc2931 and https://bind9.readthedocs.io/en/v9_18_9/chapter7.html#tsig).
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221212/7b6b7671/attachment-0001.htm>
More information about the bind-users
mailing list