26 Lis
2018
26 Lis
'18
13:41
Hi Oto,
thanks much for your e-mail, as well as for choosing Knot DNS :)
You seem to understand the documentation perfectly, everything is
exactly as you described. Unfortunately, Onlinesign module is poor in
some aspects, including master-slave setup.
Just an idea: you might check out also Dnsproxy plugin, so that your
slave would not answer the queries to your synthesized zone at all, but
rather forwarding them to your master server (I expect the increased
latency would not hurt much, since the performance of onlinesign is low
anyway).
In any case we will think if it would be possible to enable easier setup
for usecases like yours.
BR,
Libor
Dne 26.11.18 v 07:22 Oto Stefan napsal(a):
Hello,
first of all I would like to express many thanks to the CZ.NIC DNS
team for an amazing piece of software which the KnotDNS in my view
surely is.
Well, to my question. I run two instances of knot 2.6.9 in the
master-slave configuration which serve a couple of zones. The zones
are DNSSEC signed at master with an automated key management. This
works excellent even with the KSK rotation (I am under .cz TLD).
However, I also have a subdomain (i.e., 3rd order domain) with
synthesized records. The only way to allow DNSSEC for it I was able to
find is:
- using mod-onlinesign on both the master and slave,
- generating a key externally (with bind-utils) and importing it into
KASP on both servers,
- configuring manual key policy,
- adding the appropriate DS record into the parent zone.
This seems to work fine, all the validation tests pass.
The question is: Is there a better way to achieve the goal (especially
with new features like automated key rotation in online signing of the
2.7 version in mind) or what is the recommended practice in a similar
situation?
Thanks in advance for any suggestion or advice,
Have a nice day,
Oto