[Pdns-users] Slaves do not return RRSIGs when DO flag is set
s.posner at telekom.de
Fri Aug 8 09:14:19 UTC 2014
Julian K. wrote:
> > There's your problem: not presigned. You need to set them
> > "presigned"
> > so that pdns knows they're signed and that it needs to send rrsig
> > records. To do this, you'll need to run
> > pdnssec set-presigned zone
> I want the bindbackend to manage the keys and transparently sign my
> Does this really work if I set the zone to presigned?
If you have more than one accessible slave, you do NOT want their
bindbackend to do the signing. Otherwise, every slave would create
and maintain their own set of signing keys that would need to be
put in upstream domain for DS. Standard AXFR/IXFR is NOT capable of
transferring the secret keys needed for signing.
More information about the Pdns-users