[Pdns-users] Different RRSIG's on master and slaves
Peter van Dijk
peter.van.dijk at netherlabs.nl
Thu Sep 26 08:16:16 UTC 2013
On Sep 26, 2013, at 9:37 , Posner, Sebastian wrote:
>> -----Ursprüngliche Nachricht-----
>> Von: pdns-users-bounces at mailman.powerdns.com [mailto:pdns-users-
>> bounces at mailman.powerdns.com] Im Auftrag von mvdgeijn
>> Gesendet: Mittwoch, 25. September 2013 11:51
>> An: pdns-users at mailman.powerdns.com
>> Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves
>> On both the master and slave servers "pdnssec show-zone" shows that
>> the zone is not pre-signed.
> CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed
> on all slaves, otherwise they will start signing it on their own, using
> self-generated key material.
This is mostly correct. These days, PowerDNS sets the pre signed flag automatically when needed. Also, PowerDNS will never automatically sign - only if the admin adds keys, usually through 'pdnssec secure-zone'.
> You can only have the zone non-presigned on multiple servers if replication
> is provided within the dnssec-capable backend, because the cryptokeys-table
> MUST be replicated to all live-signing servers. And AXFR can't do that.
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Pdns-users