[dns-operations] dnssec via dynamic updates

Evan Hunt each at isc.org
Fri Mar 18 17:29:04 UTC 2016

On Fri, Mar 18, 2016 at 03:51:44PM +0300, Peter Andreev wrote:
> Unfortunately xfr is not an option. The main point is that public server
> should know nothing about signer and vise versa.

I'm not clear why *XFR isn't an option for this? You don't need to have
your hidden master listed in the NS RRset where the public can see it; you
only need it in the name server configuration. (In BIND terms, the signer
needs to be listed in the "masters" option on the slave(s), and the
slave(s) must be in the "allow-transfer" ACL on the signer.)

Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

More information about the dns-operations mailing list