signing for a hidden primary
Randy Bush
randy at psg.com
Sun Jan 22 00:56:32 UTC 2023
hi mark
>> hidden primary can not sign. can the public primary which fetches
>> from it, and happens to be primary for the parent zone, do bitw
>> signing?
>
> In-line signing is the concept you are looking for and yes named
> supports it.
i know bind9 does bitw. happy to learn it is called inline-signing.
sorry not to have been clear. i want to sign a zone where the server is
secondary. i.e. may i use
zone "foo.bar" {
type slave;
file "secondary/bar.foo"; // yes, i like dir list to alpha sort
...
auto-dnssec maintain;
inline-signing yes;
}
looking at example 2 in https://kb.isc.org/docs/aa-00626, i think that
this will work, i.e. there will be a `secondary/bar.foo.signed` from
which i can extract the DS needed by the parent zone, the server will
send notifies etc.
randy
More information about the bind-users
mailing list