Hi Libor Libor Peltan via knot-dns-users <[email protected]> wrote:
> I guess the sentence "only if the query can't be satisfied from the zone" > means that the zone file takes precedence (and overrides) automatically > generated records. So if you create your reverse zone with _some_ names in > it, synthrecord will generate only for the other names. Understood and thanks. > Anyway, an alternative to using synthrecord module is to generate the reverse > zone with > https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#reverse-generate . This is very important information for me, because I was wondering of how would secure a reverse zone by DNSSEC. From your link: | This option triggers the automatic generation of reverse PTR records based on A/AAAA records in the specified zone. The | entire generated zone is automatically stored in the journal. Does that mean that: #) if I do host a given number of zone files, and #) if all those zones use AAAA records of the same IPv6 reverse zone, #) I don't even need to create and maintain an ip6.arpa zone file? Correct? > This method is more offline, so it can be combined with traditional DNSSEC > signing Does that mean that I do only need to include ... | - domain: b.0.0.0.a.0.0.0.f.e.e.b.d.a.e.d.ip6.arpa" | dnssec-signing: on … in knot.conf and my reverse zone is signed. Correct? But what about KSK for my reverse zone and DNSKEY "upload to the registrar"? I do have the feeling I am missing an important part here ;-) Any feedback is highly appreciated. Thanks and regards, Michael --
