Re: [knot-dns-users] mod-synth-record + DNSSEC = SERVFAIL

On 28 November 2016 at 05:18, Alarig Le Lay &lt;alarig(a)swordarmor.fr <mailto:alarig@swordarmor.fr>> wrote: Hi, I use mod-synth-record to provide some reverse records for a LAN. tregon-grifon.swordarmor.fr <http://tregon-grifon.swordarmor.fr>. is signed with DNSSEC, but I have a RRSIG only for the records in the pasted file. Yes, this is going to fail. To get around this knot would have to implement signing on-the-fly. I'm not sure if that's on the roadmap anywhere. If you want to sign tregon-grifon.swirdarmor.fr <http://tregon-grifon.swirdarmor.fr>, then I'd suggest creating an insecure delegation to a separate zone (e.g. dynamic.tregon-grifon.swordarmor.fr <http://dynamic.tregon-grifon.swordarmor.fr>) and put your synthesized records in that zone. _______________________________________________ knot-dns-users mailing list knot-dns-users(a)lists.nic.cz https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users