On 7/30/15 10:37 AM, Evan Hunt wrote: > On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote: >> After that second procedure (and also chown'ing the keyfiles to the bind >> user), the command 'dig +dnssec +multi dnskey example.com' gives >> different results depending on which nameserver gets the query: >> >> Hidden primary (not authoritative for this zone): Key still in zone > > ... sorry, I'm confused. Which of the servers is doing the signing?
This hidden primary nameserver does the signing. The zones I've created list only the secondary nameservers -- the ones that get zone transfers from this hidden primary -- as authoritative. Most zones have four authoritative nameservers, only one of which I manage. Of the three I don't manage, I'm pretty sure at least two have no DNSSEC-specific configuration -- a hint that any DNSSEC records they serve come from this hidden primary. Make sense? If not, please let me know what other info you need. dn _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
