26 Lis
2018
26 Lis
'18
14:25
Hello Libor,
thanks for a reply and a suggestion (I believe the idea provided is
worth trying, you are absolutely right about the latency issue in my use
case). My message was more or less to make sure I am not missing
something obvious, the important point is the current setup works and
serves valid and signed data.
I keep my fingers crossed for the project :-)
Oto
Dne 26.11.2018 v 13:41 libor.peltan napsal(a):
Hi Oto,
thanks much for your e-mail, as well as for choosing Knot DNS :)
You seem to understand the documentation perfectly, everything is
exactly as you described. Unfortunately, Onlinesign module is poor in
some aspects, including master-slave setup.
Just an idea: you might check out also Dnsproxy plugin, so that your
slave would not answer the queries to your synthesized zone at all,
but rather forwarding them to your master server (I expect the
increased latency would not hurt much, since the performance of
onlinesign is low anyway).
In any case we will think if it would be possible to enable easier
setup for usecases like yours.
BR,
Libor
Dne 26.11.18 v 07:22 Oto Stefan napsal(a):
Hello,
first of all I would like to express many thanks to the CZ.NIC DNS
team for an amazing piece of software which the KnotDNS in my view
surely is.
Well, to my question. I run two instances of knot 2.6.9 in the
master-slave configuration which serve a couple of zones. The zones
are DNSSEC signed at master with an automated key management. This
works excellent even with the KSK rotation (I am under .cz TLD).
However, I also have a subdomain (i.e., 3rd order domain) with
synthesized records. The only way to allow DNSSEC for it I was able
to find is:
- using mod-onlinesign on both the master and slave,
- generating a key externally (with bind-utils) and importing it
into KASP on both servers,
- configuring manual key policy,
- adding the appropriate DS record into the parent zone.
This seems to work fine, all the validation tests pass.
The question is: Is there a better way to achieve the goal
(especially with new features like automated key rotation in online
signing of the 2.7 version in mind) or what is the recommended
practice in a similar situation?
Thanks in advance for any suggestion or advice,
Have a nice day,
Oto