DNSSEC, Bind 8.2.2-T3B, and slave servers
Cricket Liu
cricket at acmebw.com
Sat Sep 18 05:05:06 UTC 1999
Jesse Whyte <jwhyte at mail.state.tn.us> wrote in message
news:<038c01bf005d$e90c01e0$33ef8eaa at sec.state.tn.us>...
> 2) In setting up DNSSEC, the primary master has a pubkey statement
> placed in the named.conf file that looks like this...
>
> zone "foobar.com" {
> type master;
> file "foobar.db";
> pubkey 16641 3 3 "GIBBERISH..."
> };
>
> What has to be done to a secondary slave server? Will I have to run
> dnskeygen on the secondary and put the secondary's public key in this
> area?
You wouldn't run dnskeygen again, or you'd get a different public key for
the zone. You need to configure the slave with the zone's public key, too,
so that it can verify the SIG RRs when it loads the zone.
> This doesn't make since, because the SIG records are signed with the
> primary master's key. So, should I put the primary master's public key
> here?
The key doesn't belong to a name server; it belongs to the zone. Hence it's
the same on both name servers.
cricket
Acme Byte & Wire
cricket at acmebw.com
www.acmebw.com
Attend our next DNS and BIND class! See
www.acmebw.com/training.htm for the
schedule and to register for upcoming
classes.
More information about the bind-users
mailing list