On Tue, Jan 17, 2023 at 05:28:57PM -0600, E R wrote: ! I am planning on implementing the current version of BIND to replace the ! aging, undocumented authoritative servers I inherited. I want to hide the ! primary server on our internal network and have two secondary servers be ! publicly available. While reading the DNSSEC Guide ! <https://bind9.readthedocs.io/en/v9_18_9/dnssec-guide.html#recipes> recipes ! it seems to imply that I cannot have a hidden primary that handles all the ! DNSSEC stuff. ! ! Does the primary server that handles the DNSSEC duties not be hidden? Or ! were they just illustrating that you do not need to touch your hidden ! primary server and just add one that does the DNSSEC duties?
In fact, none of them needs to. I for my part have two publicly visible servers, plus a hidden primary, and the DNSSEC stuff is entirely separated from all of them; that happens in a vault, no network connection, signed e-mail in and out only (I don't want to bother with a hw crypto device). Obviousely, YMMV, it depends on the tools You use to maintain your zones. cheers, PMc -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users