[dns-operations] dnssec via dynamic updates

Peter Andreev andreev.peter at gmail.com
Fri Mar 18 12:51:44 UTC 2016


I'd like to sign zone on hidden and secured server and distribute with
DDNS all of generated records to public server. Unfortunately xfr is
not an option. The main point is that public server should know
nothing about signer and vise versa.

As for now I tried:

BIND doesn't allow adding of NSEC* and DNSKEYs without supplying a private key;
Knot doesn't allow any dnssec-related records in update query;
Yadifa's documentation looks like it was abandoned long ago.

Could you suggest how to couple ddns with dnssec? Or may be an RFC
exists which explicitely disallows such things? Or I don't see
something completely different that would help me to cope with my

Is there any problem Exterminatus cannot solve? I have not found one yet.

More information about the dns-operations mailing list