DNSSEC With Primary Hidden - Clarifying Question from Documentation

Wed Jan 18 04:52:14 UTC 2023

If my “understanding” of your desire is wrong, I do apologize for creating
even more noise rather than answering it.

I believe that your problem is only a matter of “semantics”: the “terms”
used do not sync-up with the “meanings”.

My best guess is that you want the “master copy & signing” of your zones
hidden, but still want (at least 2) Authoritative Servers answering the
(DNSsec) queries.

That is called the “Hidden-Master” implementation.
1. You set up a server capable of “sec” signing, put it somewhere in the
private part of your network, load it with your zone files and sign them
all, set it to transfer the zones out to the Primary.
This one is called the Hidden “Master”.
Nobody says that it has to serve the public; it only has to provide zone
transfers to the Primary (only).
Not putting the FQDN of your Master in the zone file, and firewall it out
from everyone except the Primary, is the best way to “hide”.
2. You set up a “Primary” Authoritative Server (in-house or out-sourced),
set it to get the (signed) zones "transferred in" from the Master, set it
to "transfer out" the (signed) zones to the Secondaries , and service the
queries from the public.
You do it by cheating; configuring the Primary to think itself as a
secondary to the Master, but at the same time configuring it to still be
the primary to the Secondaries.
Nobody says anything about where the Primary gets the zone information
from, or that it must carry the (unsigned) master copies and has to sign
them by itself; it only has to service the queries to the public, and
provide the zone transfers to the Secondaries (only).
3. You set 1 or more Secondary Authoritative Servers (in-house or
out-sourced),  set it to get the (signed) zones "transferred in" from the
Primary, and service the queries from the public.
Nobody says that zones cannot be “chained-transferred”.
4. You MUST use the FQDN of the Primary in your SOA Records, NOT the Master.

So, minimum configuration: 1 Master, 1 Primary, 1 Secondary.
Add Secondaries to taste.
Resolvers not included.

Cheers,

Pirawat.

> ---------- Forwarded message ----------
> From: E R <fasteddieinaustin at gmail.com>
> To: bind-users at lists.isc.org
> Cc:
> Bcc:
> Date: Tue, 17 Jan 2023 17:28:57 -0600
> Subject: DNSSEC With Primary Hidden - Clarifying Question from
> Documentation
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited.  I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available.  While reading the DNSSEC Guide
> <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.
>
> Does the primary server that handles the DNSSEC duties not be hidden?  Or
> were they just illustrating that you do not need to touch your hidden
> primary server and just add one that does the DNSSEC duties?
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230118/02fc7df6/attachment.htm>