On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users <
bind-users@lists.isc.org> wrote:
> I am finally getting around to setting up DNSSEC on my server (Bind
> 9.16). I found some instructions online and was able to set up one of
> my zones and confirm that the keys are being returned. However, after
> doing a bit more testing I ran into a couple of issues.
>
> I am using the recommended setup with the "dnssec-policy default" and
> "inline-signing yes".
>
> The first issue is that my server uses a few views to give different IPs
> based on which network the request comes from. I found that if I point
> the zones in the different views to the same key directory, there are no
> errors and all views return the same keys when I test with dig. So this
> appears to work. Are there any gotchas that might come up with this setup?
>
I think this will work because the key files include the zone name, so they
will be unique.
>
> The second issue is that I have multiple zones that all point to the
> same file since those domains all go to the same set of servers. Right
> now, I am using the same zone file for all of them. This works fine
> currently, but when I try to enable DNSSEC for those domains, I get an
> error "writable file ... already in use". The simple answer would be to
> make a unique file for each zone, however I would rather keep a single
> file updated instead of having to make changes to all of the individual
> files whenever something changes with those servers. So far, the only
> other solution I've found is to manage the keys manually, which seems to
> add quite a bit of complexity to the setup. Is there a better way to do
> this?
>
I am using "in-view" so I only have one copy of the zone in memory and on
disk.
In the 'oncampus' view:
zone "umich.edu" {
type slave;
file "oncampus/edu.umich";
masters {
"DNS123";
};
};
And in the other view:
zone "umich.edu" {
in-view "oncampus";
};
--
Bob Harold
>
> Thanks,
>
> Bowie
>
>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
