Thank you for the detailed explanation! This is what I was wondering. All the dnssec configuration(s) only need to reside on the master then, correct?
Looks like it a got a little clean-up to do. Appreciate everyones insight with this! ~Jordan On 2/9/24, 8:44 AM, "Björn Persson" <bj...@xn--rombobjrn-67a.se> wrote: Jordan Larson via bind-users wrote: > Was I wrong to enable “inline-signing yes” for my slave zones? I would assume > each slave would need its own DS key? Can I do that? That sounds very wrong. Your zone shall have one DNSsec key, or set of keys, that is the same on all slave servers. A client shall see the same set of DNSKEY records regardless of which DNS server it queries. If you sign the zone on the master, then you shouldn't sign it again on the slaves. The slaves shall receive RRSIG records from the master just like any other records, and serve them to clients. Only the master has the secret keys. If the master can't sign for some reason, then you can do "bump in the wire" signing: A single signing server receives the unsigned zone from the hidden master over a secure link, signs it, and distributes the signed zone to multiple slaves. Only the signing server has the secret keys. That way there's still a single consistent set of DNSKEY records. If you need to give different answers to different clients, then you configure separate views, and you must ensure that each client sees the same view – including the same keys – on all DNS servers it can query. Björn Persson
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users