Hello Milan,
What exactly is unclear on the configuration? If you have
hidden_master(Bind)->public_master(Knot) configured,
simply enable dnssec-signing on the Knot side.
Best,
Daniel
On 2/12/19 3:54 PM, Milan Jeskynka Kazatel wrote:
Hello, community,
could someone more describe the On-slave signing on both sides - slave and master in
the case where the master server runs on bind and slave is Knot DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave server. If
enabled, the zone is signed after every AXFR/IXFR transfer from master, so that the slave
always serves a signed up-to-date version of the zone.
It is strongly recommended to block any outside access to the master server, so that only
the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes while the master
zone remains unchanged, such as a key rollover or refreshing of RRSIG records, which cause
inequality of zone SOA serial between master and slave. The slave server handles this by
saving the master’s SOA serial in a special variable inside KASP DB and appropriately
modifiying AXFR/IXFR queries/answers to keep the communication with master consistent
while applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental serial policy
on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza