[dns-operations] dnssec via dynamic updates

Peter Andreev andreev.peter at gmail.com
Sun Mar 20 08:13:57 UTC 2016


2016-03-20 0:06 GMT+03:00 Mark Andrews <marka at isc.org>:
>
> In message <CAE_wXn1-CkFML7nDp_SvE7q1T0j6vwrA45nBe+o7Ou9v_wno8w at mail.gmail.com>
> , Peter Andreev writes:
>> Hello,
>>
>> I'd like to sign zone on hidden and secured server and distribute with
>> DDNS all of generated records to public server. Unfortunately xfr is
>> not an option. The main point is that public server should know
>> nothing about signer and vise versa.
>>
>> As for now I tried:
>>
>> BIND doesn't allow adding of NSEC* and DNSKEYs without supplying a
>> private key;
>
> Did you remember to import the external DNSKEY using dnssec-importkey?

Yes, I imported external keys. No luck, I'm still getting the following:

Mar 20 11:07:17 server named[18657]: client 127.0.0.1#19619: updating
zone 'test.dynamic/IN': found no active private keys, unable to
generate any signatures
Mar 20 11:07:17 server named[18657]: client 127.0.0.1#19619: updating
zone 'test.dynamic/IN': RRSIG/NSEC/NSEC3 update failed: not found

>
>> Knot doesn't allow any dnssec-related records in update query;
>> Yadifa's documentation looks like it was abandoned long ago.
>>
>> Could you suggest how to couple ddns with dnssec? Or may be an RFC
>> exists which explicitely disallows such things? Or I don't see
>> something completely different that would help me to cope with my
>> problem?
>>
>> --
>> Is there any problem Exterminatus cannot solve? I have not found one yet.
>> _______________________________________________
>> dns-operations mailing list
>> dns-operations at lists.dns-oarc.net
>> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
>> dns-jobs mailing list
>> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



-- 
Is there any problem Exterminatus cannot solve? I have not found one yet.



More information about the dns-operations mailing list