[Opendnssec-user] ODS2 signs a hidden-primary's zone data: best to push the signed data back to the primary to push to secondaries? or skip it, and let ODS2 populate them?
pgnet.dev at gmail.com
Sun Dec 25 00:40:06 UTC 2016
I'm adding ODS2 to my DNS infrastructure.
Atm, I've a hidden DNS primary, running split-view (external & internal) BIND9, located inside my LAN.
Only the LAN/24 sees the internal view.
The external sends NOTIFY to a hidden secondary on a VPS, which is NSD4.
My VPS-provider's nameservers pull changes from the hidden secondary instance, and publish responses publicly.
ODS2 execs atm on the same box as the hidden-primary, inside my LAN.
It retrieves zone data from the primary by AXFR, and listens for NOTIFY from it as well.
ODS2 then signs the data ... and either
(1) I can push the resulting ODS2-signed zones back to the hidden-primary's external view, and have Bind9 push the changes up through the secondary, etc.
(2) I can have ODS2 NOTIFY the secondary itself, pushing the signed-zone data onto the VPS instance, and never bother keeping an instance of the signed-zone data "in" the primary's zone data.
Is there any particular reason/advantage of keeping a local instance of the SIGNED zone data 'active' in the hidden-primary's external view, vs. just pushing it out to the secondary directly, still letting the ISP's nameservers consume/publish it from there?
Or is it simply a matter of convenience/preference, with no particular advantage one way or the other?
More information about the Opendnssec-user