Hi Oto,

thanks much for your e-mail, as well as for choosing Knot DNS :)

You seem to understand the documentation perfectly, everything is exactly as you described. Unfortunately, Onlinesign module is poor in some aspects, including master-slave setup.

Just an idea: you might check out also Dnsproxy plugin, so that your slave would not answer the queries to your synthesized zone at all, but rather forwarding them to your master server (I expect the increased latency would not hurt much, since the performance of onlinesign is low anyway).

In any case we will think if it would be possible to enable easier setup for usecases like yours.

BR,

Libor

Hello,
first of all I would like to express many thanks to the CZ.NIC DNS team for an amazing piece of software which the KnotDNS in my view surely is.

Well, to my question. I run two instances of knot 2.6.9 in the master-slave configuration which serve a couple of zones. The zones are DNSSEC signed at master with an automated key management. This works excellent even with the KSK rotation (I am under .cz TLD). However, I also have a subdomain (i.e., 3rd order domain) with synthesized records. The only way to allow DNSSEC for it I was able to find is:
 - using mod-onlinesign on both the master and slave,
 - generating a key externally (with bind-utils) and importing it into KASP on both servers,
 - configuring manual key policy,
 - adding the appropriate DS record into the parent zone.
This seems to work fine, all the validation tests pass.
The question is: Is there a better way to achieve the goal (especially with new features like automated key rotation in online signing of the 2.7 version in mind) or what is the recommended practice in a similar situation?

Thanks in advance for any suggestion or advice,
Have a nice day,
Oto