<div dir="ltr"><div>Hi Matthijs,</div><div><br></div><div>thank you, so just to confirm something like this should work :<br></div><div>Master :</div><div>dnssec-policy "test" {<br> keys {<br> ksk lifetime P3D algorithm rsasha256 2048;<br> zsk lifetime P2D algorithm rsasha256 1024;<br> };<br>};<br><br>zone "**************" {<br> type master;<br> file "/*******/*****.db";<br> notify yes;<br> key-directory "/******/******/";<br> inline-signing yes;<br> dnssec-policy test;<br>};<br><br></div><div>And my Slaves :<br>zone
"**************" {<br> type slave;<br> masters {
**************
; };<br> file "/
**************/
**************
/
**************
.db";<br> key-directory "/
**************
/
**************
/
**************
.fr";<br> auto-dnssec maintain;<br> inline-signing yes;<br>};</div><div><br></div><div>am i rigth ?</div><div><br></div><div>Regards</div><div><br></div><div>Adrien<br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking <<a href="mailto:matthijs@isc.org">matthijs@isc.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi Adrien,<br>
<br>
You should **not** copy the dnssec-policy configuration to your <br>
secondaries. They transfer in the signed zone from the primary server.<br>
<br>
Best regards,<br>
<br>
Matthijs<br>
<br>
<br>
On 12/9/22 09:24, adrien sipasseuth wrote:<br>
> Hello,<br>
> <br>
> <br>
> Lokking for some guidance, sorry if i use the wrong way to contact <br>
> community user support.<br>
> <br>
> <br>
> I would like to set up DNSSEC using KASP.<br>
> <br>
> I have an architecture with a master and several slaves.<br>
> <br>
> Here is my policy and zone configuration:<br>
> <br>
> dnssec-policy "test" {<br>
> <br>
> keys {<br>
> <br>
> ksk lifetime P3D algorithm rsasha256 2048;<br>
> <br>
> zsk lifetime P2D algorithm rsasha256 1024;<br>
> <br>
> };<br>
> <br>
> };<br>
> <br>
> zone "**************" {<br>
> <br>
> type master;<br>
> <br>
> file "/*******/*****.db";<br>
> <br>
> notify yes;<br>
> <br>
> key-directory "/******/******/";<br>
> <br>
> inline-signing yes;<br>
> <br>
> dnssec-policy test;<br>
> <br>
> };<br>
> <br>
> <br>
> after restart, it seems ok, keys are generated on master, no errors in <br>
> logs etc.<br>
> <br>
> I copied this policy, the keys and the zone configuration on each of my <br>
> slaves then I restarted my slaves everything seems ok (in the logs).<br>
> <br>
> except that now I wonder if the keys on each of my slaves will be <br>
> generated independently from those of my master.<br>
> <br>
> <br>
> In this case, I will end up with different keys for the same zone <br>
> depending on the slave1 / slave2 etc / master. I suppose that it is not <br>
> good because we should have for the same zone, a pair of keys and this <br>
> one should be copied on each slaves?<br>
> <br>
> There some tuto / documentation about how to setup KASP in master / <br>
> slaves topology ?<br>
> <br>
> <br>
> Sorry if it's not enough clear...<br>
> <br>
> <br>
> Thank you<br>
> <br>
> *Adrien SIPASSEUTH*<br>
> <br>
> <br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>