[dns-operations] dnssec via dynamic updates

Brett brettcarr at gmail.com
Fri Mar 18 15:37:01 UTC 2016

On 18 March 2016 at 12:51, Peter Andreev <andreev.peter at gmail.com> wrote:
> Hello,
> I'd like to sign zone on hidden and secured server and distribute with
> DDNS all of generated records to public server. Unfortunately xfr is
> not an option. The main point is that public server should know
> nothing about signer and vise versa.
> As for now I tried:
> BIND doesn't allow adding of NSEC* and DNSKEYs without supplying a private key;
> Knot doesn't allow any dnssec-related records in update query;
> Yadifa's documentation looks like it was abandoned long ago.
> Could you suggest how to couple ddns with dnssec? Or may be an RFC
> exists which explicitely disallows such things? Or I don't see
> something completely different that would help me to cope with my
> problem?

Why not have the private key (or config to access the key on a HSM) on
your secured hidden master which you then send dynamic updates to.
Then have your public master or slaves do axfr/ixr from it?


More information about the dns-operations mailing list