On 3/18/19 7:33 PM, LeBlanc, Daniel James wrote: > I have a pair of ISC BIND 9.12.3-P1 servers that are configured as > slaves to a pair of Hidden Master servers. The Hidden Masters are a > proprietary product and unfortunately when used to sign the zones, the > SOA records are not populated as expected. As a result, I was looking > into signing the zones within ISC BIND instead. Reviewed the > literature, came up with a plan and the required configuration changes. > However, things are not proceeding as I had hoped…
As Mark noted, the "update-policy local" is not going to work as expected, but I'd like to expound a bit.. I would recommend, not knowing how you are currently configured nor what you found on "how to do this", the following: Modify one of your existing slave servers to act as an in-line signer. Have your hidden master ONLY zone transfer to this chosen signer. Configure your zones on the in-line signer as you have already noted. You now have keying material only on the in-line signing system. Protect it as you would anything valuable. Set up any other existing servers as slaves of the in-line signer. In this way, you will have only one server that needs to keep you DNSKEYs safe, have keys updated in only one location, and actually do the "heavy lifting" of signing on that one box. I realize you say you only have two slaves at this point, but when the third (or 12th) comes along, this centralization of signing is going to make your life much easier. You won't have to worry about key distribution, keeping everything in sync as far as key rollover, etc. Caveats: This will create "single points of failure" that now includes both your hidden master and the inline-signer. If the inline-signer falls over, the other slave(s) will continue to serve the zone data until either the in-line signer is fixed, or the expire timer in the SOA comes around and your zones all get deathly ill. Add extra monitoring to the "distribution master" so that you know immediately if it has issues. If you were already doing all of this, carry on! Highly recommended solution! If you are using another method, I'm curious as to your configuration. AlanC _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
