Hi Graham, On 2/29/20 5:27 PM, Graham Clinch wrote: > How does the new-in-9.16 dnssec-policy interact with views - in > particular for key generation/rollover? > > For example, we have a zone defined in multiple views with different > contents (and thus not suitable for in-view), being signed by the same > set of keys (currently maintained by dnssec-keymgr) - this allows us to > publish only a single set of DS records for that zone. > > If a zone 'example.net' is defined in view 'a', and a zone 'example.net' > is defined in view 'b', but both views share a single key-directory, is > it 'safe' to configure dnssec-policy in both views?
Thanks for sharing your use case. I tried it and it is unsafe to do so
in 9.16.0.
The dnssec-policy does not take into account shared keys. But with views
you sort of implicitly have shared keys because you have multiple
versions of the zone. In the current code there is a race condition on
running key management on the different versions of the zone which may
result in too many keys.
I created an issue for this bug:
https://gitlab.isc.org/isc-projects/bind9/issues/1653
And I have a proposed fix for it. It may make the 9.16.1 release,
otherwise 9.16.2. With this fix you should be able to safely configure
dnssec-policy for a zone in multiple views, sharing the same set of keys.
Best regards,
Matthijs
>
> Graham
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
