[KASP] setup KASP in master / slave architecture
adrien sipasseuth
sipasseuth.adrien at gmail.com
Thu Dec 15 17:05:36 UTC 2022
Hi,
Ok, I got confused, no need for the keys on the slavs actually.
On the other hand, my slaves should generate the .signed, .signed.jnl and
.jbk files of my zones, no? currently it is not my case, should I copy them
from the master?
moreover, when I test a "dig A" I don't have the associated RRSIG when I do
my "dig A" on a slave while on the master I do.
Regards,
Adrien
Le lun. 12 déc. 2022 à 12:59, Darren Ankney <darren.ankney at gmail.com> a
écrit :
>
>
> the keys are generated on the master but not on the slaves.
> so I don't understand how the slaves can read their zone file which ends
> in ".signed" because they don't have the keys ? (but it's work with dig, i
> see DS with the right ZSK)
>
> Regards
>
> Adrien
>
>
> Because the zone is signed with DNSSEC but not encrypted. DNSSEC is only
> providing authentication of the source of the zone, not hiding the contents
> (https://www.rfc-editor.org/rfc/rfc4033). For the primary -> secondary
> zone transfer, you should setup TSIG authentication if you haven’t already
> to ensure that only your secondary can perform a zone transfer (
> https://www.rfc-editor.org/rfc/rfc2931 and
> https://bind9.readthedocs.io/en/v9_18_9/chapter7.html#tsig).
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20221215/ccb5bec8/attachment.htm>
More information about the bind-users
mailing list