<div dir="ltr"><div>Hi,</div><div><br></div><div>It seems to work! Thank you!<br><br>To summarize:<br>On the master side I have the following configuration:</div><div>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">dnssec-policy "test" {<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> keys {<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> ksk
lifetime P3D algorithm rsasha256 2048;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> zsk
lifetime P2D algorithm rsasha256 1024;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> };<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">};<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""><span> </span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">zone "**************" {<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> type master;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> file "/*******/*****.db";<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> notify yes;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> key-directory
"/******/******/";<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> inline-signing yes;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""> dnssec-policy test;<span></span></span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New"">};</span></p>
<p class="MsoNormal" style="margin:0cm;font-size:11pt;font-family:"Calibri",sans-serif"><span style="font-size:10pt;font-family:"Courier New""><br></span></p>
</div><div>on the slaves side I have the following configuration:</div><div>zone
"**************" {<br> type slave;<br> masters {
**************
; };<br> file "/
**************/
**************
/
**************
.db";<br>}; <br></div><div><br></div><div><br></div><div>the keys are generated on the master but not on the slaves.<br>so I don't understand how the slaves can read their zone file which ends in ".signed" because they don't have the keys ? (but it's work with dig, i see DS with the right ZSK)</div><div><br></div><div>Regards</div><div><br></div><div>Adrien<br></div><div><br></div><div><br></div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Le ven. 9 déc. 2022 à 10:02, Matthijs Mekking <<a href="mailto:matthijs@isc.org">matthijs@isc.org</a>> a écrit :<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Hi,<br>
<br>
No.<br>
<br>
You don't need DNSSEC maintenance on your secondary zones if you already <br>
have set it on your primary zones. So<br>
<br>
zone "***" {<br>
type secondary;<br>
primaries { ***; };<br>
file "***.db";<br>
};<br>
<br>
is enough.<br>
<br>
Best regards,<br>
<br>
Matthijs.<br>
<br>
On 12/9/22 09:58, adrien sipasseuth wrote:<br>
> Hi Matthijs,<br>
> <br>
> thank you, so just to confirm something like this should work :<br>
> Master :<br>
> dnssec-policy "test" {<br>
> keys {<br>
> ksk lifetime P3D algorithm rsasha256 2048;<br>
> zsk lifetime P2D algorithm rsasha256 1024;<br>
> };<br>
> };<br>
> <br>
> zone "**************" {<br>
> type master;<br>
> file "/*******/*****.db";<br>
> notify yes;<br>
> key-directory "/******/******/";<br>
> inline-signing yes;<br>
> dnssec-policy test;<br>
> };<br>
> <br>
> And my Slaves :<br>
> zone "**************" {<br>
> type slave;<br>
> masters { ************** ; };<br>
> file "/ **************/ ************** / ************** .db";<br>
> key-directory "/ ************** / ************** / ************** .fr";<br>
> auto-dnssec maintain;<br>
> inline-signing yes;<br>
> };<br>
> <br>
> am i rigth ?<br>
> <br>
> Regards<br>
> <br>
> Adrien<br>
> <br>
> <br>
> <br>
> <br>
> Le ven. 9 déc. 2022 à 09:33, Matthijs Mekking <<a href="mailto:matthijs@isc.org" target="_blank">matthijs@isc.org</a> <br>
> <mailto:<a href="mailto:matthijs@isc.org" target="_blank">matthijs@isc.org</a>>> a écrit :<br>
> <br>
> Hi Adrien,<br>
> <br>
> You should **not** copy the dnssec-policy configuration to your<br>
> secondaries. They transfer in the signed zone from the primary server.<br>
> <br>
> Best regards,<br>
> <br>
> Matthijs<br>
> <br>
> <br>
> On 12/9/22 09:24, adrien sipasseuth wrote:<br>
> > Hello,<br>
> ><br>
> ><br>
> > Lokking for some guidance, sorry if i use the wrong way to contact<br>
> > community user support.<br>
> ><br>
> ><br>
> > I would like to set up DNSSEC using KASP.<br>
> ><br>
> > I have an architecture with a master and several slaves.<br>
> ><br>
> > Here is my policy and zone configuration:<br>
> ><br>
> > dnssec-policy "test" {<br>
> ><br>
> > keys {<br>
> ><br>
> > ksk lifetime P3D algorithm rsasha256 2048;<br>
> ><br>
> > zsk lifetime P2D algorithm rsasha256 1024;<br>
> ><br>
> > };<br>
> ><br>
> > };<br>
> ><br>
> > zone "**************" {<br>
> ><br>
> > type master;<br>
> ><br>
> > file "/*******/*****.db";<br>
> ><br>
> > notify yes;<br>
> ><br>
> > key-directory "/******/******/";<br>
> ><br>
> > inline-signing yes;<br>
> ><br>
> > dnssec-policy test;<br>
> ><br>
> > };<br>
> ><br>
> ><br>
> > after restart, it seems ok, keys are generated on master, no<br>
> errors in<br>
> > logs etc.<br>
> ><br>
> > I copied this policy, the keys and the zone configuration on each<br>
> of my<br>
> > slaves then I restarted my slaves everything seems ok (in the logs).<br>
> ><br>
> > except that now I wonder if the keys on each of my slaves will be<br>
> > generated independently from those of my master.<br>
> ><br>
> ><br>
> > In this case, I will end up with different keys for the same zone<br>
> > depending on the slave1 / slave2 etc / master. I suppose that it<br>
> is not<br>
> > good because we should have for the same zone, a pair of keys and<br>
> this<br>
> > one should be copied on each slaves?<br>
> ><br>
> > There some tuto / documentation about how to setup KASP in master /<br>
> > slaves topology ?<br>
> ><br>
> ><br>
> > Sorry if it's not enough clear...<br>
> ><br>
> ><br>
> > Thank you<br>
> ><br>
> > *Adrien SIPASSEUTH*<br>
> ><br>
> ><br>
> -- <br>
> Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> <<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>> to unsubscribe<br>
> from this list<br>
> <br>
> ISC funds the development of this software with paid support<br>
> subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a><br>
> <<a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a>> for more information.<br>
> <br>
> <br>
> bind-users mailing list<br>
> <a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a> <mailto:<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>><br>
> <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
> <<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a>><br>
> <br>
> <br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>