[KASP] setup KASP in master / slave architecture
Matthijs Mekking
matthijs at isc.org
Fri Dec 9 08:32:46 UTC 2022
Hi Adrien,
You should **not** copy the dnssec-policy configuration to your
secondaries. They transfer in the signed zone from the primary server.
Best regards,
Matthijs
On 12/9/22 09:24, adrien sipasseuth wrote:
> Hello,
>
>
> Lokking for some guidance, sorry if i use the wrong way to contact
> community user support.
>
>
> I would like to set up DNSSEC using KASP.
>
> I have an architecture with a master and several slaves.
>
> Here is my policy and zone configuration:
>
> dnssec-policy "test" {
>
> keys {
>
> ksk lifetime P3D algorithm rsasha256 2048;
>
> zsk lifetime P2D algorithm rsasha256 1024;
>
> };
>
> };
>
> zone "**************" {
>
> type master;
>
> file "/*******/*****.db";
>
> notify yes;
>
> key-directory "/******/******/";
>
> inline-signing yes;
>
> dnssec-policy test;
>
> };
>
>
> after restart, it seems ok, keys are generated on master, no errors in
> logs etc.
>
> I copied this policy, the keys and the zone configuration on each of my
> slaves then I restarted my slaves everything seems ok (in the logs).
>
> except that now I wonder if the keys on each of my slaves will be
> generated independently from those of my master.
>
>
> In this case, I will end up with different keys for the same zone
> depending on the slave1 / slave2 etc / master. I suppose that it is not
> good because we should have for the same zone, a pair of keys and this
> one should be copied on each slaves?
>
> There some tuto / documentation about how to setup KASP in master /
> slaves topology ?
>
>
> Sorry if it's not enough clear...
>
>
> Thank you
>
> *Adrien SIPASSEUTH*
>
>
More information about the bind-users
mailing list