I am finally getting around to setting up DNSSEC on my server (Bind
9.16). I found some instructions online and was able to set up one of
my zones and confirm that the keys are being returned. However, after
doing a bit more testing I ran into a couple of issues.
I am using the recommended setup with the "dnssec-policy default" and
"inline-signing yes".
The first issue is that my server uses a few views to give different IPs
based on which network the request comes from. I found that if I point
the zones in the different views to the same key directory, there are no
errors and all views return the same keys when I test with dig. So this
appears to work. Are there any gotchas that might come up with this setup?
The second issue is that I have multiple zones that all point to the
same file since those domains all go to the same set of servers. Right
now, I am using the same zone file for all of them. This works fine
currently, but when I try to enable DNSSEC for those domains, I get an
error "writable file ... already in use". The simple answer would be to
make a unique file for each zone, however I would rather keep a single
file updated instead of having to make changes to all of the individual
files whenever something changes with those servers. So far, the only
other solution I've found is to manage the keys manually, which seems to
add quite a bit of complexity to the setup. Is there a better way to do
this?
Thanks,
Bowie
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
