[Opendnssec-user] AXFR's Between OpenDNSSEC + PowerDNS

Sebastian Castro sebastian at nzrs.net.nz
Mon Jun 20 03:26:23 CEST 2011


On 06/20/2011 01:05 PM, Craig Whitmore wrote:
> 
>>>
>>
>> You are missing one important point. OpenDNSSEC doesn't provide outgoing
>> zone transfers, it has to rely on a nameserver to do that. It can do
>> incoming zone transfer (pull a zone from a nameserver).
>>
>>>
> 
> What I wanted to do is.. Pull a zone..... Sign the zone and then push it
> via an AXFR to a slave (or get the slave to pull the zone from the
> opendnssec) . Ie Acting as a signing proxy.
> 
> But what you are saying with opendnssec is it will request via an AXFR ->
> sign and then place the files on the harddrive (say in
> /var/lib/opendnssec/signed directory) and then you have to do something
> with it.
> 

That's correct.

> Ie run powerdns/bind again on the box where the files are and it will axfr
> them to the slaves.
> 

Exactly. OpenDNSSEC won't provide the signed data for distribution using
XFR by itself, requires a nameserver.

> (hidden master powerdns server) -> opendsnsec (saves files to directory)
> -> powerdns on the same box to axfr them to slaves.
> 

Yes, this sequence could work. You can use powerdns/bind/nsd to load the
signed zones and serve them to the slaves.

Cheers,

> 
> Thanks
> Craig
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>>>
> 
> 


-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535



More information about the Opendnssec-user mailing list