do not stupidly delete ZSK files
dnewman at networktest.com
Thu Jul 30 23:47:03 UTC 2015
On 7/30/15 10:37 AM, Evan Hunt wrote:
> On Thu, Jul 30, 2015 at 10:30:33AM -0700, David Newman wrote:
>> After that second procedure (and also chown'ing the keyfiles to the bind
>> user), the command 'dig +dnssec +multi dnskey example.com' gives
>> different results depending on which nameserver gets the query:
>> Hidden primary (not authoritative for this zone): Key still in zone
> ... sorry, I'm confused. Which of the servers is doing the signing?
This hidden primary nameserver does the signing. The zones I've created
list only the secondary nameservers -- the ones that get zone transfers
from this hidden primary -- as authoritative.
Most zones have four authoritative nameservers, only one of which I
manage. Of the three I don't manage, I'm pretty sure at least two have
no DNSSEC-specific configuration -- a hint that any DNSSEC records they
serve come from this hidden primary.
Make sense? If not, please let me know what other info you need.
More information about the bind-users