-- Best regards Sten Carlsen A pessimist is a person that can find a problem for every solution.
> On 18 Oct 2024, at 18.50, Bowie Bailey via bind-users > <bind-users@lists.isc.org> wrote: > > On 10/18/2024 12:07 PM, Bob Harold wrote: >> >> On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users >> <bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>> wrote: >>> I am finally getting around to setting up DNSSEC on my server (Bind >>> 9.16). I found some instructions online and was able to set up one of >>> my zones and confirm that the keys are being returned. However, after >>> doing a bit more testing I ran into a couple of issues. >>> >>> I am using the recommended setup with the "dnssec-policy default" and >>> "inline-signing yes". >>> >>> The first issue is that my server uses a few views to give different IPs >>> based on which network the request comes from. I found that if I point >>> the zones in the different views to the same key directory, there are no >>> errors and all views return the same keys when I test with dig. So this >>> appears to work. Are there any gotchas that might come up with this setup? >> >> I think this will work because the key files include the zone name, so they >> will be unique. >> >>> >>> The second issue is that I have multiple zones that all point to the >>> same file since those domains all go to the same set of servers. Right >>> now, I am using the same zone file for all of them. This works fine >>> currently, but when I try to enable DNSSEC for those domains, I get an >>> error "writable file ... already in use". The simple answer would be to >>> make a unique file for each zone, however I would rather keep a single >>> file updated instead of having to make changes to all of the individual >>> files whenever something changes with those servers. So far, the only >>> other solution I've found is to manage the keys manually, which seems to >>> add quite a bit of complexity to the setup. Is there a better way to do >>> this? >> >> I am using "in-view" so I only have one copy of the zone in memory and on >> disk. >> In the 'oncampus' view: >> zone "umich.edu <http://umich.edu/>" { >> type slave; >> file "oncampus/edu.umich"; >> masters { >> "DNS123"; >> }; >> }; >> >> And in the other view: >> zone "umich.edu <http://umich.edu/>" { >> in-view "oncampus"; >> }; > > This isn't quite the same as my setup. I don't think there are any files > shared between views. The issue is that within one view, multiple zones will > point to the same file. For example: This could be a problem, in my setup all zones have their own files, no sharing of files. I think I do remember advice against sharing files. > > zone "test.com" { > type master; > file "db.test.com"; > }; > zone "test2.com" { > type master; > file "db.test.com"; > }; > > I would like to have DNSSEC active on both domains, but since they are > sharing a file, Bind complains about it. > > -- > Bowie > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
