Hello Daniel,

thanks for your answer, but I looking for a hint where the hidden master and slave configuration is designed. Or why is not recommended hidden master-slave? 

Thanks and regards,
kaza.


Hello Milan,

What exactly is unclear on the configuration? If you have hidden_master(Bind)->public_master(Knot) configured,
simply enable dnssec-signing on the Knot side.

Best,
Daniel

On 2/12/19 3:54 PM, Milan Jeskynka Kazatel wrote:
> Hello, community,
>
> could someone more describe the On-slave signing on both sides - slave and master in the case where the master server runs on bind and slave is Knot DNS?
>
> I would like to achieve signing for "hidden master" configuration.
>
> I found in Knot DNS documentation:
> ***
> It is possible to enable automatic DNSSEC zone signing even on a slave server. If enabled, the zone is signed after every AXFR/IXFR transfer from master, so that the slave always serves a signed up-to-date version of the zone.
>
> It is strongly recommended to block any outside access to the master server, so that only the slave’s signed version of the zone is served.
>
> Enabled on-slave signing introduces events when the slave zone changes while the master zone remains unchanged, such as a key rollover or refreshing of RRSIG records, which cause inequality of zone SOA serial between master and slave. The slave server handles this by saving the master’s SOA serial in a special variable inside KASP DB and appropriately modifiying AXFR/IXFR queries/answers to keep the communication with master consistent while applying the changes with a different serial.
>
> It is recommended to use UNIX time serial policy on master and incremental serial policy on slave so that their SOA serials are equal most of the time.
> ***
>
> Thanks for any advice.
>
> Regards,
> kaza
>
>
>
>
>
>
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users