DNSSEC With Primary Hidden - Clarifying Question from Documentation
Grant Taylor
gtaylor at tnetconsulting.net
Tue Jan 17 23:55:00 UTC 2023
On 1/17/23 4:45 PM, Michael Richardson wrote:
> Many people do exactly that.
Sorry, I don't see that as an answer to -- my understanding of -- the
OP's question of "Does the primary server that handles the DNSSEC duties
need to be not hidden / publicly accessible?"
Specifically what many people do, or not, doesn't translate to a
requirement.
> In my opinion, this is the best way to do things, and the in-place signing is
> just a total pain.
Your opinions, such as they are, are independent of the OP's question.
I've got an ancient version of BIND managing all of the DNSSEC wherein
the master is sort of hidden in that it's listed in the SOA's MNAME, but
is not listed as an NS. The MNAME is globally accessible.
I'm sure that I'm overlooking something at the end of a long day, but I
can't see anything that prevents the OP from having the primary perform
DNSSEC functions while also functioning as a hidden primary role.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230117/d854d458/attachment.bin>
More information about the bind-users
mailing list