30 Bře
2025
30 Bře
'25
14:39
Hi Libor
Libor Peltan via knot-dns-users <knot-dns-users(a)lists.nic.cz> wrote:
I guess the sentence "only if the query can't
be satisfied from the zone" means that the zone file takes precedence (and overrides)
automatically generated records. So if you create your reverse zone with _some_ names in
it, synthrecord will generate only for the other names.
Understood and thanks.
Anyway, an alternative to using synthrecord module is
to generate the reverse zone with
https://www.knot-dns.cz/docs/3.4/singlehtml/index.html#reverse-generate .
This is very important information for me, because I was wondering of how would secure a
reverse zone by DNSSEC.
From your link:
| This option triggers the automatic generation of reverse PTR records based on A/AAAA
records in the specified zone. The
| entire generated zone is automatically stored in the journal.
Does that mean that:
#) if I do host a given number of zone files, and
#) if all those zones use AAAA records of the same IPv6 reverse zone,
#) I don't even need to create and maintain an ip6.arpa zone file?
Correct?
This method is more offline, so it can be combined
with traditional DNSSEC signing
Does that mean that I do only need to include ...
| - domain: b.0.0.0.a.0.0.0.f.e.e.b.d.a.e.d.ip6.arpa"
| dnssec-signing: on
… in knot.conf and my reverse zone is signed. Correct?
But what about KSK for my reverse zone and DNSKEY "upload to the registrar"?
I do have the feeling I am missing an important part here ;-)
Any feedback is highly appreciated.
Thanks and regards,
Michael