redundant bump-in-the-wire signers using BIND

Tony Finch dot at
Tue May 22 10:22:42 UTC 2018

Michael Sinatra <michael at> wrote:
> My only concern is that serial numbers might get out of sync between the
> two signers at some point.

You can avoid this problem with `serial-update-method unixtime`.

HOWEVER! I think you are going to have problems with inconsistent IXFRs
depending on which signer the public authoritative servers talk to. You
can work around this by only using AXFR, by turning off `provide-ixfr` and

If this is going to be painful for you because of zone sizes, you might
consider getting dirty with dnssec-signzone which gives you more control
over when signing happens and RRSIG validity periods. I think (depending
on the signature algorithm) this will allow you to ensure that the two
signers produce the same zones at the same times. But it'll require a fair
amount of fiddling to get right.

(My recovery plan for a failed signer is to reprovision a replacement from

f.anthony.n.finch  <dot at>
individual and social justice

More information about the bind-users mailing list