rndc refresh fails for signed zones

[Tony Finch]

Thomas Schulz <schulz at adi.com> wrote:
>
> Am I correct in thinking that in the case of a hidden master and a chain
> of slaves, that the first publicly acessable slave would do the signing
> and that in any case only one instance of bind should do the signing?

It is better if the hidden master does the signing, since it is a less
exposed system so it is better able to protect the keys. Slave inline
signing mode is for situations where the hidden master can't sign for
whatever reason.

Yes it is normal to sign in only one place. If you don't you are likely to
have problems with inconsistent zone serial numbers, and RRSIG times. And
you will need a good mechanism to make sure your keys are consistent!

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.