[Opendnssec-user] ODS2 signs a hidden-primary's zone data: best to push the signed data back to the primary to push to secondaries? or skip it, and let ODS2 populate them?

PGNet Dev pgnet.dev at gmail.com
Sun Dec 25 00:40:06 UTC 2016

I'm adding ODS2 to my DNS infrastructure.

Atm, I've a hidden DNS primary, running split-view (external & internal) BIND9, located inside my LAN.

Only the LAN/24 sees the internal view.

The external sends NOTIFY to a hidden secondary on a VPS, which is NSD4.

My VPS-provider's nameservers pull changes from the hidden secondary instance, and publish responses publicly.

ODS2 execs atm on the same box as the hidden-primary, inside my LAN.

It retrieves zone data from the primary by AXFR, and listens for NOTIFY from it as well.

ODS2 then signs the data ... and either

(1) I can push the resulting ODS2-signed zones back to the hidden-primary's external view, and have Bind9 push the changes up through the secondary, etc.


(2) I can have ODS2 NOTIFY the secondary itself, pushing the signed-zone data onto the VPS instance, and never bother keeping an instance of the signed-zone data "in" the primary's zone data.

Is there any particular reason/advantage of keeping a local instance of the SIGNED zone data 'active' in the hidden-primary's external view, vs. just pushing it out to the secondary directly, still letting the ISP's nameservers consume/publish it from there?

Or is it simply a matter of convenience/preference, with no particular advantage one way or the other?

More information about the Opendnssec-user mailing list