> -----Ursprüngliche Nachricht----- > Von: [email protected] [mailto:pdns-users- > [email protected]] Im Auftrag von mvdgeijn > Gesendet: Mittwoch, 25. September 2013 11:51 > An: [email protected] > Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves > > On both the master and slave servers "pdnssec show-zone" shows that > the zone is not pre-signed.
CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed on all slaves, otherwise they will start signing it on their own, using self-generated key material. You can only have the zone non-presigned on multiple servers if replication is provided within the dnssec-capable backend, because the cryptokeys-table MUST be replicated to all live-signing servers. And AXFR can't do that. Mit freundlichen Grüßen, Sebastian -- Sebastian Posner Unix-Systemspezialist Deutsche Telekom AG, Products & Innovation "Es hat einmal einer gesagt, das geht nicht. Dann kam einer, der wusste das nicht und hat es einfach gemacht" _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
