redundant bump-in-the-wire signers using BIND
Tony Finch
dot at dotat.at
Tue May 22 10:22:42 UTC 2018
Michael Sinatra <michael at brokendns.net> wrote:
>
> My only concern is that serial numbers might get out of sync between the
> two signers at some point.
You can avoid this problem with `serial-update-method unixtime`.
HOWEVER! I think you are going to have problems with inconsistent IXFRs
depending on which signer the public authoritative servers talk to. You
can work around this by only using AXFR, by turning off `provide-ixfr` and
`request-ixfr`.
If this is going to be painful for you because of zone sizes, you might
consider getting dirty with dnssec-signzone which gives you more control
over when signing happens and RRSIG validity periods. I think (depending
on the signature algorithm) this will allow you to ensure that the two
signers produce the same zones at the same times. But it'll require a fair
amount of fiddling to get right.
(My recovery plan for a failed signer is to reprovision a replacement from
scratch.)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
individual and social justice
More information about the bind-users
mailing list