[Pdns-users] Slaves do not return RRSIGs when DO flag is set
Posner, Sebastian
s.posner at telekom.de
Fri Aug 8 09:14:19 UTC 2014
Julian K. wrote:
> > There's your problem: not presigned. You need to set them
> > "presigned"
> > so that pdns knows they're signed and that it needs to send rrsig
> > records. To do this, you'll need to run
> >
> > pdnssec set-presigned zone
> I want the bindbackend to manage the keys and transparently sign my
> zones.
> Does this really work if I set the zone to presigned?
If you have more than one accessible slave, you do NOT want their
bindbackend to do the signing. Otherwise, every slave would create
and maintain their own set of signing keys that would need to be
put in upstream domain for DS. Standard AXFR/IXFR is NOT capable of
transferring the secret keys needed for signing.
kind regards,
Sebastian
More information about the Pdns-users
mailing list