[Pdns-users] Different RRSIG's on master and slaves

Posner, Sebastian s.posner at telekom.de
Thu Sep 26 07:37:35 UTC 2013

> -----Ursprüngliche Nachricht-----
> Von: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
> bounces at mailman.powerdns.com] Im Auftrag von mvdgeijn
> Gesendet: Mittwoch, 25. September 2013 11:51
> An: pdns-users at mailman.powerdns.com
> Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves
> On both the master and slave servers "pdnssec show-zone" shows that
> the zone is not pre-signed.

CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed 
on all slaves, otherwise they will start signing it on their own, using 
self-generated key material.

You can only have the zone non-presigned on multiple servers if replication
is provided within the dnssec-capable backend, because the cryptokeys-table
MUST be replicated to all live-signing servers. And AXFR can't do that.

Mit freundlichen Grüßen,

Sebastian Posner
Deutsche Telekom AG, Products & Innovation 
"Es hat einmal einer gesagt, das geht nicht. Dann kam einer, der wusste das nicht und hat es einfach gemacht"

More information about the Pdns-users mailing list