12 Úno
2019
12 Úno
'19
15:54
Hello, community,
could someone more describe the On-slave signing on both sides - slave and
master in the case where the master server runs on bind and slave is Knot
DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave
server. If enabled, the zone is signed after every AXFR/IXFR transfer from
master, so that the slave always serves a signed up-to-date version of the
zone.
It is strongly recommended to block any outside access to the master server,
so that only the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes while
the master zone remains unchanged, such as a key rollover or refreshing of
RRSIG records, which cause inequality of zone SOA serial between master and
slave. The slave server handles this by saving the master’s SOA serial in a
special variable inside KASP DB and appropriately modifiying AXFR/IXFR
queries/answers to keep the communication with master consistent while
applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental
serial policy on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza
13 Úno
13 Úno
13:44
Hello Milan,
What exactly is unclear on the configuration? If you have
hidden_master(Bind)->public_master(Knot) configured,
simply enable dnssec-signing on the Knot side.
Best,
Daniel
On 2/12/19 3:54 PM, Milan Jeskynka Kazatel wrote:
Hello, community,
could someone more describe the On-slave signing on both sides - slave and master in
the case where the master server runs on bind and slave is Knot DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave server. If
enabled, the zone is signed after every AXFR/IXFR transfer from master, so that the slave
always serves a signed up-to-date version of the zone.
It is strongly recommended to block any outside access to the master server, so that only
the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes while the master
zone remains unchanged, such as a key rollover or refreshing of RRSIG records, which cause
inequality of zone SOA serial between master and slave. The slave server handles this by
saving the master’s SOA serial in a special variable inside KASP DB and appropriately
modifiying AXFR/IXFR queries/answers to keep the communication with master consistent
while applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental serial policy
on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza
14:35
Hello Daniel,
thanks for your answer, but I looking for a hint where the hidden master and
slave configuration is designed. Or why is not recommended hidden master-
slave?
Thanks and regards,
kaza.
---------- Původní e-mail ----------
Od: Daniel Salzman <daniel.salzman(a)nic.cz>
Komu: knot-dns-users(a)lists.nic.cz
Datum: 13. 2. 2019 13:44:57
Předmět: Re: [knot-dns-users] DNSSEC On-slave signing
"Hello Milan,
What exactly is unclear on the configuration? If you have hidden_master
(Bind)->public_master(Knot) configured,
simply enable dnssec-signing on the Knot side.
Best,
Daniel
On 2/12/19 3:54 PM, Milan Jeskynka Kazatel wrote:
Hello, community,
could someone more describe the On-slave signing on both sides - slave and
master
in the case where the master server runs on bind and slave is Knot
DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave
server. If
enabled, the zone is signed after every AXFR/IXFR transfer from
master, so that the slave always serves a signed up-to-date version of the
zone.
It is strongly recommended to block any outside access to the master
server, so
that only the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes
while the
master zone remains unchanged, such as a key rollover or
refreshing of RRSIG records, which cause inequality of zone SOA serial
between master and slave. The slave server handles this by saving the master
’s SOA serial in a special variable inside KASP DB and appropriately
modifiying AXFR/IXFR queries/answers to keep the communication with master
consistent while applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental
serial
policy on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
"
16:52
I'm sorry, still I'm a bit confused.
If you want to use on-slave signing, your topology should be like:
hidden_master(Bind)->signing_slave(Knot)->slave1, slave2, ...
Because if you signed the zone on more slaves, you had to somehow synchronize the signing
(keys,...).
Here is how to configure Knot as a slave
https://www.knot-dns.cz/docs/2.7/singlehtml/index.html#slave-zone
Daniel
On 2/13/19 2:35 PM, Milan Jeskynka Kazatel wrote:
Hello Daniel,
thanks for your answer, but I looking for a hint where the hidden master and slave
configuration is designed. Or why is not recommended hidden master-slave?
Thanks and regards,
kaza.
---------- Původní e-mail ----------
Od: Daniel Salzman <daniel.salzman(a)nic.cz>
Komu: knot-dns-users(a)lists.nic.cz
Datum: 13. 2. 2019 13:44:57
Předmět: Re: [knot-dns-users] DNSSEC On-slave signing
Hello Milan,
What exactly is unclear on the configuration? If you have
hidden_master(Bind)->public_master(Knot) configured,
simply enable dnssec-signing on the Knot side.
Best,
Daniel
On 2/12/19 3:54 PM, Milan Jeskynka Kazatel wrote:
Hello, community,
could someone more describe the On-slave signing on both sides - slave and master in
the case where the master server runs on bind and slave is Knot DNS?
I would like to achieve signing for "hidden master" configuration.
I found in Knot DNS documentation:
***
It is possible to enable automatic DNSSEC zone signing even on a slave server. If
enabled, the zone is signed after every AXFR/IXFR transfer from master, so that the slave
always serves a signed up-to-date version of the zone.
It is strongly recommended to block any outside access to the master server, so that only
the slave’s signed version of the zone is served.
Enabled on-slave signing introduces events when the slave zone changes while the master
zone remains unchanged, such as a key rollover or refreshing of RRSIG records, which cause
inequality of zone SOA serial between master and slave. The slave server handles this by
saving the master’s SOA serial in a special variable inside KASP DB and appropriately
modifiying AXFR/IXFR queries/answers to keep the communication with master consistent
while applying the changes with a different serial.
It is recommended to use UNIX time serial policy on master and incremental serial policy
on slave so that their SOA serials are equal most of the time.
***
Thanks for any advice.
Regards,
kaza
--
https://lists.nic.cz/cgi-bin/mailman/listinfo/knot-dns-users
18:25
On Wed, 2019-02-13 at 16:52 +0100, Daniel Salzman wrote:
If you want to use on-slave signing, your topology
should be like:
hidden_master(Bind)->signing_slave(Knot)->slave1, slave2, ...
Because if you signed the zone on more slaves, you had to somehow synchronize the signing
(keys,...).
I'm genuinely curious as to why someone would do this. Is it in order
to add DNSSEC without modifying Bind? If so, wouldn't it just be easier
to dump Bind and make Knot the master?
-Jim P.
2150
days inactive
2151
days old
4 comments
3 participants
participants (3)
-
Daniel Salzman -
Jim Popovitch -
Milan Jeskynka Kazatel