DNSSEC and secondary DNS servers
@lbutlr
kremels at kreme.com
Sat Sep 8 13:58:11 UTC 2018
So, I setup up DNSSEC on my authoritative bind 9.12 server, which was very straightforward and works fine:
dig covisp.net +dnssec +short @8.8.8.8
65.121.55.42
A 7 2 86400 20181008122535 20180908122535 17363 covisp.net. pkpVdFONJ2dYN+7wQ4pVcQTlWIThY3+mbNdXsE8p5uWiLNvIefVT32JE i9itA3Si91/pImofmPnLPbxRbLzWt+dSfbxBoHaoCYK1ZCngw/vy9QlG 36Um0De5ItCC/GuflXUnBKmEJKx0pQOlvqSnkRSV75yLnAw3NA0BdKnf CBJP9QLQH/A1vojRafIER5MNM34lKfJC9QrMDBiUBYzrv3i/2QK3gE7t 8Y1Zpoemux8Uz/zps1I/pmjVAIixk2ilVOLDXkeS6Ta4ODrWayyuFM8b xwkodXsMtFAx5PhkVyHT5zJyScYYzC82aZs7fTmA6F01saabVsxIYAi6 78upgA==
But now, what do I need to do for other DNS servers? Is it enough to simply add
dnssec-enable yes;
dnssec-validation yes;
managed-keys-directory "/usr/local/etc/namedb/working/keys";
? Should it simply validate the key with the primary and go from there?
I tried this, but trying to do a dig +dnssec on the secondary DNS doesn’t return the record, so I think there must be something else.
More information about the bind-users
mailing list