DNSSEC With Primary Hidden - Clarifying Question from Documentation
Peter
pmc at citylink.dinoex.sub.org
Wed Jan 18 02:10:21 UTC 2023
On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote:
! I am planning on implementing the current version of BIND to replace the
! aging, undocumented authoritative servers I inherited. I want to hide the
! primary server on our internal network and have two secondary servers be
! publicly available. While reading the DNSSEC Guide
! <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes
! it seems to imply that I cannot have a hidden primary that handles all the
! DNSSEC stuff.
!
! Does the primary server that handles the DNSSEC duties not be hidden? Or
! were they just illustrating that you do not need to touch your hidden
! primary server and just add one that does the DNSSEC duties?
In fact, none of them needs to.
I for my part have two publicly visible servers, plus a hidden
primary, and the DNSSEC stuff is entirely separated from all of them;
that happens in a vault, no network connection, signed e-mail in and
out only (I don't want to bother with a hw crypto device).
Obviousely, YMMV, it depends on the tools You use to maintain your
zones.
cheers,
PMc
More information about the bind-users
mailing list