DNSSEC and secondary DNS servers

@lbutlr kremels at kreme.com
Sat Sep 8 13:58:11 UTC 2018

So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very straightforward and works fine:

dig covisp.net +dnssec +short @
A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE i9itA3Si91/pImofmPnLPbxRbLzWt+dSfbxBoHaoCYK1ZCngw/vy9QlG 36Um0De5ItCC/GuflXUnBKmEJKx0pQOlvqSnkRSV75yLnAw3NA0BdKnf CBJP9QLQH/A1vojRafIER5MNM34lKfJC9QrMDBiUBYzrv3i/2QK3gE7t 8Y1Zpoemux8Uz/zps1I/pmjVAIixk2ilVOLDXkeS6Ta4ODrWayyuFM8b xwkodXsMtFAx5PhkVyHT5zJyScYYzC82aZs7fTmA6F01saabVsxIYAi6 78upgA==

But now, what do I need to do for other DNS servers? Is it enough to simply add

	dnssec-enable yes;
        dnssec-validation yes;
	managed-keys-directory "/usr/local/etc/namedb/working/keys";

? Should it simply validate the key with the primary and go from there? 

I tried this, but trying to do a dig +dnssec on the secondary DNS doesn’t return the record, so I think there must be something else.

More information about the bind-users mailing list