[Pdns-users] Different RRSIG's on master and slaves
Posner, Sebastian
s.posner at telekom.de
Thu Sep 26 07:37:35 UTC 2013
> -----Ursprüngliche Nachricht-----
> Von: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> bounces at mailman.powerdns.com] Im Auftrag von mvdgeijn
> Gesendet: Mittwoch, 25. September 2013 11:51
> An: pdns-users at mailman.powerdns.com
> Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves
>
> On both the master and slave servers "pdnssec show-zone" shows that
> the zone is not pre-signed.
CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed
on all slaves, otherwise they will start signing it on their own, using
self-generated key material.
You can only have the zone non-presigned on multiple servers if replication
is provided within the dnssec-capable backend, because the cryptokeys-table
MUST be replicated to all live-signing servers. And AXFR can't do that.
Mit freundlichen Grüßen,
Sebastian
--
Sebastian Posner
Unix-Systemspezialist
Deutsche Telekom AG, Products & Innovation
"Es hat einmal einer gesagt, das geht nicht. Dann kam einer, der wusste das nicht und hat es einfach gemacht"
More information about the Pdns-users
mailing list