[Pdns-users] Different RRSIG's on master and slaves
Peter van Dijk
peter.van.dijk at netherlabs.nl
Thu Sep 26 10:29:38 UTC 2013
On Sep 26, 2013, at 10:27 , mvdgeijn wrote:
> My knowledge on DnsSec isn't that great, but what I tested is that when the
> keys on the slaves (stored in the cryptokeys table) are out of sync with the
> master, I have to remove them on both slave servers from the cryptokeys
> table. After that I update the serial and the zone is synced using AXFR from
> the master to both slaves and the keys are fixed.
AXFR does not sync keys; slaves do not need keys if the master is signing. If you are using AXFR and your master signs, you should never have keys on your slaves.
> Maybe there is indeed some code in PowerDNS that sets the presigned flag
> automaticly, but why isn't that adjusted in the show-zone on the master
> and/or the slaves? And why aren't the keys synced when not in sync with the
> master, even when the serial is updated?
If presigned is set automatically, show-zone will show it.
However, if you are AXFRing presigned zones from a master into a slave that has crypto keys, the results are undefined. I believe this is what's causing your troubles.
Peter van Dijk
Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Pdns-users