signing for a hidden primary
Eric K Germann
ekgermann at semperen.com
Sun Jan 22 15:54:49 UTC 2023
I use an unsigned hidden master I maintain from inside my local network.
This feeds a secondary server where the signing is done and it acts as
a master to other secondaries. Works well. Started as an experiment
and works well enough I've left it alone.
Hidden master >> DNSSEC signing server (slave to hidden, master to
secondariers) >> secondaries
Here's a config block
zone example.com {
type slave;
masters { a.b.c.d key master-dns01; };
file "slave/example.com.db";
key-directory "keys/example.com";
dnssec-policy domain-policy;
inline-signing yes;
zone-statistics yes;
};
If you're interested in more specifics, I'm happy to share. Ping me
off-list
Eric
On 2023-01-21 19:56, Randy Bush wrote:
> hi mark
>
> hidden primary can not sign. can the public primary which fetches
> from it, and happens to be primary for the parent zone, do bitw
> signing?
> In-line signing is the concept you are looking for and yes named
> supports it.
i know bind9 does bitw. happy to learn it is called inline-signing.
sorry not to have been clear. i want to sign a zone where the server is
secondary. i.e. may i use
zone "foo.bar" {
type slave;
file "secondary/bar.foo"; // yes, i like dir list to alpha sort
...
auto-dnssec maintain;
inline-signing yes;
}
looking at example 2 in https://kb.isc.org/docs/aa-00626, i think that
this will work, i.e. there will be a `secondary/bar.foo.signed` from
which i can extract the DS needed by the parent zone, the server will
send notifies etc.
randy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230122/19b3cba9/attachment.htm>
More information about the bind-users
mailing list