I'm adding ODS2 to my DNS infrastructure. Atm, I've a hidden DNS primary, running split-view (external & internal) BIND9, located inside my LAN.
Only the LAN/24 sees the internal view. The external sends NOTIFY to a hidden secondary on a VPS, which is NSD4. My VPS-provider's nameservers pull changes from the hidden secondary instance, and publish responses publicly. ODS2 execs atm on the same box as the hidden-primary, inside my LAN. It retrieves zone data from the primary by AXFR, and listens for NOTIFY from it as well. ODS2 then signs the data ... and either (1) I can push the resulting ODS2-signed zones back to the hidden-primary's external view, and have Bind9 push the changes up through the secondary, etc. Or, (2) I can have ODS2 NOTIFY the secondary itself, pushing the signed-zone data onto the VPS instance, and never bother keeping an instance of the signed-zone data "in" the primary's zone data. Is there any particular reason/advantage of keeping a local instance of the SIGNED zone data 'active' in the hidden-primary's external view, vs. just pushing it out to the secondary directly, still letting the ISP's nameservers consume/publish it from there? Or is it simply a matter of convenience/preference, with no particular advantage one way or the other? _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
