DNSSEC With Primary Hidden - Clarifying Question from Documentation
Michael Richardson
mcr at sandelman.ca
Tue Jan 17 23:45:25 UTC 2023
E R <fasteddieinaustin at gmail.com> wrote:
> I am planning on implementing the current version of BIND to replace the
> aging, undocumented authoritative servers I inherited. I want to hide the
> primary server on our internal network and have two secondary servers be
> publicly available. While reading the DNSSEC Guide
> <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes
> it seems to imply that I cannot have a hidden primary that handles all the
> DNSSEC stuff.
Many people do exactly that.
Check out the: “Bump in the Wire” Signing section.
In my opinion, this is the best way to do things, and the in-place signing is
just a total pain.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 511 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230117/76d64234/attachment.sig>
More information about the bind-users
mailing list