Hello Peter, On 2015/02/05 22:59, Peter van Dijk wrote: > Hello Martin, > > On 30 Jan 2015, at 4:56 , Martin Chandler <[email protected]> wrote: > >>> On 29 Jan 2015, at 7:45 , Martin Chandler <[email protected]> wrote: >>> >>>> I am running a PowerDNS hidden master behind BIND dns servers serving to >>>> the public. >>>> >>>> We have a mix of DNSSEC secure zones, and non-secure zones. >>>> >>>> My question is do I have to 'rectify-zone' on the non-secure zones? >>>> (does Powerdns still need the auth and ordername for non-secure zones?) >>> >>> On non-secure zones, ordername is ignored, but auth is not. However, if you >>> just set auth=1 on all records, you get the ‘old’ behaviour, which has been >>> demonstrated to work just fine in practice. If you use the 3.4.0+ SQL >>> schema, you get auth=1 by default. >> >> Just curious, as a hidden master that only sends zone transfers to the >> front end BIND servers, what will I lose with the 'old' behaviour? > > If you only serve AXFR, there is no difference between ‘old’ and ‘new’ > behaviour. In fact, PowerDNS will auto-rectify during outgoing AXFR for you > in this case, as long as you make sure SOA queries (that the slave might do > to check freshness) don’t fail. >
Thank you very much for the clarification. Regards, Martin -- Cellular phone : 090-7849-6808 e-mail:[email protected] URL :http://www.aventer.net/ _______________________________________________ Pdns-users mailing list [email protected] http://mailman.powerdns.com/mailman/listinfo/pdns-users
