On 26. 11. 18 7:22, Oto Stefan wrote:
Hello,
first of all I would like to express many thanks to the CZ.NIC DNS team
for an amazing piece of software which the KnotDNS in my view surely is.
Well, to my question. I run two instances of knot 2.6.9 in the
master-slave configuration which serve a couple of zones. The zones are
DNSSEC signed at master with an automated key management. This works
excellent even with the KSK rotation (I am under .cz TLD). However, I
also have a subdomain (i.e., 3rd order domain) with synthesized records.
The only way to allow DNSSEC for it I was able to find is:
- using mod-onlinesign on both the master and slave,
- generating a key externally (with bind-utils) and importing it into
KASP on both servers,
- configuring manual key policy,
- adding the appropriate DS record into the parent zone.
This seems to work fine, all the validation tests pass.
The question is: Is there a better way to achieve the goal (especially
with new features like automated key rotation in online signing of the
2.7 version in mind) or what is the recommended practice in a similar
situation?
Hmm, could you share configuration snippets from master and slave to
show us how exactly you are generating records and how you synchronize
"generation rules" between master and slaves?
Thanks!
--
Petr Špaček @ CZ.NIC