rndc refresh fails for signed zones
Evan Hunt
each at isc.org
Thu Dec 12 15:58:44 UTC 2013
> Am I correct in thinking that in the case of a hidden master and a chain
> of slaves, that the first publicly acessable slave would do the signing
> and that in any case only one instance of bind should do the signing?
The signer doesn't even have to be publicly accessible if you don't want it
to be. But yes, you'd generally have only one signing server, whether it
was hidden or not. (With multiple signing servers, you can end up with
multiple versions of the same zone, having the same serial number, serving
slightly different data; it doesn't necessarily break as long as you don't
cross the streams, but why risk it?)
Some discussion about scenarios in which inline-signing might be used
can be found here: https://kb.isc.org/article/AA-00626/
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list