Re: [knot-dns-users] Active and backup signer

Hi Einar, AFAIK using multiple parallel signers is an unexplored territory in DNS. It's not difficult to ensure matching SOA serials, but having different zone versions with same SOA serial is only asking for more trouble: what if any secondary takes (for whatever reason) an IXFR from the other signer than previously... There is a way to sign zone deterministicly (either RSA or Deterministic ECDSA), but whole DNSSEC relies on unix timestamp, and it seems not viable to establish a second-precision sync among signers. There have been thoughts about this previously, but none went far enough to be adopted by Knot. I agree it would be useful to have parallel signers, for the sake of reliability, even better if they were of very different implementations. But I haven't heard of any functioning setup. I assume most operators simply rely on a single signer, while they are able to fix any issues before the zone expires on public secondaries. BR, Libor PS: it's both odd and inspiring how different TLD operators face different issues and focus on different goals: .de strikes frequency of updates, .be triple-checks that the zone was not signed incorrectly, .is seeks assurance that the signer keeps running ... :) Dne 14. 12. 20 v 10:26 Einar Bjarni Halldórsson napsal(a):