[Pdns-users] Slaves do not return RRSIGs when DO flag is set

Posner, Sebastian s.posner at telekom.de
Fri Aug 8 09:14:19 UTC 2014

Julian K. wrote: 

> > There's your problem: not presigned.  You need to set them
> > "presigned"
> > so that pdns knows they're signed and that it needs to send rrsig
> > records.  To do this, you'll need to run
> >
> >      pdnssec set-presigned zone
> I want the bindbackend to manage the keys and transparently sign my
> zones.
> Does this really work if I set the zone to presigned?

If you have more than one accessible slave, you do NOT want their 
bindbackend to do the signing. Otherwise, every slave would create
and maintain their own set of signing keys that would need to be 
put in upstream domain for DS. Standard AXFR/IXFR is NOT capable of
transferring the secret keys needed for signing.

kind regards,

More information about the Pdns-users mailing list