[dns-operations] dnssec via dynamic updates

Mark Andrews marka at isc.org
Sat Mar 19 21:06:50 UTC 2016

In message <CAE_wXn1-CkFML7nDp_SvE7q1T0j6vwrA45nBe+o7Ou9v_wno8w at mail.gmail.com>
, Peter Andreev writes:
> Hello,
> I'd like to sign zone on hidden and secured server and distribute with
> DDNS all of generated records to public server. Unfortunately xfr is
> not an option. The main point is that public server should know
> nothing about signer and vise versa.
> As for now I tried:
> BIND doesn't allow adding of NSEC* and DNSKEYs without supplying a
> private key;

Did you remember to import the external DNSKEY using dnssec-importkey?

> Knot doesn't allow any dnssec-related records in update query;
> Yadifa's documentation looks like it was abandoned long ago.
> Could you suggest how to couple ddns with dnssec? Or may be an RFC
> exists which explicitely disallows such things? Or I don't see
> something completely different that would help me to cope with my
> problem?
> -- 
> Is there any problem Exterminatus cannot solve? I have not found one yet.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list