Nick,
On 27-05-2022 10:27, Nick Tait via bind-users wrote:
On 26/05/22 20:34, Matthijs Mekking wrote:
What version are you using? We had a bug with dnssec-policy and views
(#2463), but that has been fixed.
Since 9.16.18 you should not be able to set the same key-directory for
the same zone in different views.
Hi Matthijs.
You got me worried just then because for several years I have been using
a split DNS set-up, with the same zone defined in two different views
which share a common keys directory. And then about a month ago I
upgraded from 9.16.something to 9.18.1.
But I've managed to find the release note that I think you're referring
to. From
https://downloads.isc.org/isc/bind9/9.16.29/doc/arm/html/notes.html#id24 :
Zones which are configured in multiple views, with different values
set for |dnssec-policy| and with identical values set for
|key-directory|, are now detected and treated as a configuration
error. *[GL #2463]*
<https://gitlab.isc.org/isc-projects/bind9/-/issues/2463>
So based on this it would seem that it is OK for two views to define the
same DNSSEC zone and share the same keys directory, *as long as they are
using the same dnssec-policy*?
That is correct. Since key files don't have views in their name, each
key in the key-directory corresponds to all zones with the same name,
regardless the view. Having a *different* policy causes continuously
mismatches between what keys are in use for a certain zone and what is
expected according to its policy.
Having the same policy for each zone per view should work fine*.
Best regards,
Matthijs
*With Sandro's case being investigated at the moment.
Please advise if I've got that wrong?
Thanks,
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
