Hello Marc, On Sep 26, 2013, at 10:27 , mvdgeijn wrote:
> My knowledge on DnsSec isn't that great, but what I tested is that when the > keys on the slaves (stored in the cryptokeys table) are out of sync with the > master, I have to remove them on both slave servers from the cryptokeys > table. After that I update the serial and the zone is synced using AXFR from > the master to both slaves and the keys are fixed. AXFR does not sync keys; slaves do not need keys if the master is signing. If you are using AXFR and your master signs, you should never have keys on your slaves. > Maybe there is indeed some code in PowerDNS that sets the presigned flag > automaticly, but why isn't that adjusted in the show-zone on the master > and/or the slaves? And why aren't the keys synced when not in sync with the > master, even when the serial is updated? If presigned is set automatically, show-zone will show it. However, if you are AXFRing presigned zones from a master into a slave that has crypto keys, the results are undefined. I believe this is what's causing your troubles. Kind regards, -- Peter van Dijk Netherlabs Computer Consulting BV - http://www.netherlabs.nl/
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
