Re: DNSSEC With Primary Hidden - Clarifying Question from Documentation

Tue, 17 Jan 2023 16:23:59 -0800 


> On 18 Jan 2023, at 10:55, Grant Taylor via bind-users 
> <bind-users@lists.isc.org> wrote:
> 
> On 1/17/23 4:45 PM, Michael Richardson wrote:
>> Many people do exactly that.
> 
> Sorry, I don't see that as an answer to -- my understanding of -- the OP's 
> question of "Does the primary server that handles the DNSSEC duties need to 
> be not hidden / publicly accessible?"
> 
> Specifically what many people do, or not, doesn't translate to a requirement.
> 
>> In my opinion, this is the best way to do things, and the in-place signing is
>> just a total pain.
> 
> Your opinions, such as they are, are independent of the OP's question.
> 
> I've got an ancient version of BIND managing all of the DNSSEC wherein the 
> master is sort of hidden in that it's listed in the SOA's MNAME, but is not 
> listed as an NS.  The MNAME is globally accessible.
> 
> I'm sure that I'm overlooking something at the end of a long day, but I can't 
> see anything that prevents the OP from having the primary perform DNSSEC 
> functions while also functioning as a hidden primary role.

DNSSEC was designed with the primary doing the signing and the secondaries just 
serving the signed content.  DNSSEC works fine with a hidden primary signing 
the zone.  As with everything DNSSEC every server involved needs to support 
DNSSEC.

Now how you manage that signing is a completely seperate topic and there are 
different ways to do it.

> -- 
> Grant. . . .
> unix || die
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
> this list
> 
> ISC funds the development of this software with paid support subscriptions. 
> Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: ma...@isc.org

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to