Re: ISC BIND 9.12.3-P1 Question re: DNSSEC Zone Signing

Mon, 18 Mar 2019 16:40:40 -0700 

You don’t need update-policy local.  In inline-signing mode named maintains its 
own copy
of the zone with the DNSSEC records in addition to the copy from upstream.  
DNSSEC is
controlled by rndc.

> On 19 Mar 2019, at 10:33 am, LeBlanc, Daniel James 
> <daniel.lebl...@bellaliant.ca> wrote:
> 
> Hello All.
>  
> I have a pair of ISC BIND 9.12.3-P1 servers that are configured as slaves to 
> a pair of Hidden Master servers.  The Hidden Masters are a proprietary 
> product and unfortunately when used to sign the zones, the SOA records are 
> not populated as expected.  As a result, I was looking into signing the zones 
> within ISC BIND instead.  Reviewed the literature, came up with a plan and 
> the required configuration changes.  However, things are not proceeding as I 
> had hoped…
>  
> If I include required statements within the zone options BIND complained that 
> update-policy local is not permitted in a zone of type slave (and failed to 
> start):
>  
>                 key-directory "keys/externals/{{ zone.zonename }}";
>                 inline-signing yes;
>                 auto-dnssec maintain;
>                 update-policy local;
>  
> So I switched it out for the allow-update { localhost; };, and BIND 
> complained that allow-update  is not permitted in a zone of type slave (and 
> failed to start).
>  
> So I changed my zone type from slave to master (recall that these BIND 
> instances are intended to be slaved off of the Hidden Masters), and BIND 
> complained that masters statements were not permitted in zones of type master 
> (meaning that updates would not be accepted).
>  
> Is there a way for me to sign the zones on the slave servers, even though I 
> intend to provision content into those same zones on the proprietary Hidden 
> Masters?
>  
> Thanks.
>  
> Daniel J. LeBlanc, P.Eng., MBA, DTME | Senior Network Architect | Bell Canada
>  
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to