DNSSEC With Primary Hidden - Clarifying Question from Documentation

[Mark Andrews]

> On 18 Jan 2023, at 10:55, Grant Taylor via bind-users <bind-users at lists.isc.org> wrote:
> 
> On 1/17/23 4:45 PM, Michael Richardson wrote:
>> Many people do exactly that.
> 
> Sorry, I don't see that as an answer to -- my understanding of -- the OP's question of "Does the primary server that handles the DNSSEC duties need to be not hidden / publicly accessible?"
> 
> Specifically what many people do, or not, doesn't translate to a requirement.
> 
>> In my opinion, this is the best way to do things, and the in-place signing is
>> just a total pain.
> 
> Your opinions, such as they are, are independent of the OP's question.
> 
> I've got an ancient version of BIND managing all of the DNSSEC wherein the master is sort of hidden in that it's listed in the SOA's MNAME, but is not listed as an NS.  The MNAME is globally accessible.
> 
> I'm sure that I'm overlooking something at the end of a long day, but I can't see anything that prevents the OP from having the primary perform DNSSEC functions while also functioning as a hidden primary role.

DNSSEC was designed with the primary doing the signing and the secondaries just serving the signed content.  DNSSEC works fine with a hidden primary signing the zone.  As with everything DNSSEC every server involved needs to support DNSSEC.

Now how you manage that signing is a completely seperate topic and there are different ways to do it.

> -- 
> Grant. . . .
> unix || die
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org