[KASP] setup KASP in master / slave architecture

Fri Dec 9 08:58:33 UTC 2022

Hi Matthijs,

thank you, so just to confirm something like this should work :
Master :
dnssec-policy "test" {
    keys {
        ksk lifetime P3D algorithm rsasha256 2048;
        zsk lifetime P2D algorithm rsasha256 1024;
    };
};

zone "**************" {
    type master;
    file "/*******/*****.db";
    notify yes;
    key-directory "/******/******/";
    inline-signing yes;
    dnssec-policy test;
};

And my Slaves :
zone  "**************" {
    type slave;
        masters {  ************** ; };
    file "/ **************/ ************** / ************** .db";
    key-directory "/ ************** / ************** / ************** .fr";
    auto-dnssec maintain;
    inline-signing yes;
};

am i rigth ?

Regards

Adrien

Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking <matthijs at isc.org> a écrit :

> Hi Adrien,
>
> You should **not** copy the dnssec-policy configuration to your
> secondaries. They transfer in the signed zone from the primary server.
>
> Best regards,
>
> Matthijs
>
>
> On 12/9/22 09:24, adrien sipasseuth wrote:
> > Hello,
> >
> >
> > Lokking for some guidance, sorry if i use the wrong way to contact
> > community user support.
> >
> >
> > I would like to set up DNSSEC using KASP.
> >
> > I have an architecture with a master and several slaves.
> >
> > Here is my policy and zone configuration:
> >
> > dnssec-policy "test" {
> >
> >      keys {
> >
> >          ksk lifetime P3D algorithm rsasha256 2048;
> >
> >          zsk lifetime P2D algorithm rsasha256 1024;
> >
> >      };
> >
> > };
> >
> > zone "**************" {
> >
> >      type master;
> >
> >      file "/*******/*****.db";
> >
> >      notify yes;
> >
> >      key-directory "/******/******/";
> >
> >      inline-signing yes;
> >
> >      dnssec-policy test;
> >
> > };
> >
> >
> > after restart, it seems ok, keys are generated on master, no errors in
> > logs etc.
> >
> > I copied this policy, the keys and the zone configuration on each of my
> > slaves then I restarted my slaves everything seems ok (in the logs).
> >
> > except that now I wonder if the keys on each of my slaves will be
> > generated independently from those of my master.
> >
> >
> > In this case, I will end up with different keys for the same zone
> > depending on the slave1 / slave2 etc / master. I suppose that it is not
> > good because we should have for the same zone, a pair of keys and this
> > one should be copied on each slaves?
> >
> > There some tuto / documentation about how to setup KASP in master /
> > slaves topology ?
> >
> >
> > Sorry if it's not enough clear...
> >
> >
> > Thank you
> >
> > *Adrien SIPASSEUTH*
> >
> >
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221209/330949bb/attachment-0001.htm>