[dns-operations] dnssec via dynamic updates

Peter Andreev andreev.peter at gmail.com
Fri Mar 18 18:15:29 UTC 2016


Bert,

Thank you, I'll take a closer look at PowerDNS.

Brett, Evan,

The signer is under third party management and I have no access to it.
After signing they upload a zone file to server under my command. I
can negotiate for file format, will it be for example a zone file or
food for nsupdate or whatever, but changing the way how we interact is
near-impossible.


2016-03-18 20:29 GMT+03:00 Evan Hunt <each at isc.org>:
> On Fri, Mar 18, 2016 at 03:51:44PM +0300, Peter Andreev wrote:
>> Unfortunately xfr is not an option. The main point is that public server
>> should know nothing about signer and vise versa.
>
> I'm not clear why *XFR isn't an option for this? You don't need to have
> your hidden master listed in the NS RRset where the public can see it; you
> only need it in the name server configuration. (In BIND terms, the signer
> needs to be listed in the "masters" option on the slave(s), and the
> slave(s) must be in the "allow-transfer" ACL on the signer.)
>
> --
> Evan Hunt -- each at isc.org
> Internet Systems Consortium, Inc.



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.



More information about the dns-operations mailing list