DNSSEC setup for stealth master and multi slave/recursive - Multiple DS keys?

[Björn Persson]

Jordan Larson via bind-users wrote:
> Was I wrong to enable “inline-signing yes” for my slave zones? I would assume each slave would need its own DS key? Can I do that?

That sounds very wrong. Your zone shall have one DNSsec key, or set of
keys, that is the same on all slave servers. A client shall see the
same set of DNSKEY records regardless of which DNS server it queries.

If you sign the zone on the master, then you shouldn't sign it again on
the slaves. The slaves shall receive RRSIG records from the master just
like any other records, and serve them to clients. Only the master has
the secret keys.

If the master can't sign for some reason, then you can do "bump in the
wire" signing: A single signing server receives the unsigned zone from
the hidden master over a secure link, signs it, and distributes the
signed zone to multiple slaves. Only the signing server has the secret
keys. That way there's still a single consistent set of DNSKEY records.

If you need to give different answers to different clients, then you
configure separate views, and you must ensure that each client sees the
same view – including the same keys – on all DNS servers it can query.

Björn Persson
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signatur
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20240209/2d5c9dd6/attachment.sig>