Hello, On Sep 26, 2013, at 9:37 , Posner, Sebastian wrote:
>> -----Ursprüngliche Nachricht----- >> Von: [email protected] [mailto:pdns-users- >> [email protected]] Im Auftrag von mvdgeijn >> Gesendet: Mittwoch, 25. September 2013 11:51 >> An: [email protected] >> Betreff: Re: [Pdns-users] Different RRSIG's on master and slaves >> >> On both the master and slave servers "pdnssec show-zone" shows that >> the zone is not pre-signed. > > CMIIW, but if replication is done via AXFR, zone MUST be set to pre-signed > on all slaves, otherwise they will start signing it on their own, using > self-generated key material. This is mostly correct. These days, PowerDNS sets the pre signed flag automatically when needed. Also, PowerDNS will never automatically sign - only if the admin adds keys, usually through 'pdnssec secure-zone'. > You can only have the zone non-presigned on multiple servers if replication > is provided within the dnssec-capable backend, because the cryptokeys-table > MUST be replicated to all live-signing servers. And AXFR can't do that. Indeed! Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
