I am running this setup, it works. My 2 zones are internal and external, so testing from outside can only show one side.
Thanks Sten > On 18 Oct 2024, at 18.07, Bob Harold <rharo...@umich.edu> wrote: > > > On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users > <bind-users@lists.isc.org <mailto:bind-users@lists.isc.org>> wrote: >> I am finally getting around to setting up DNSSEC on my server (Bind >> 9.16). I found some instructions online and was able to set up one of >> my zones and confirm that the keys are being returned. However, after >> doing a bit more testing I ran into a couple of issues. >> >> I am using the recommended setup with the "dnssec-policy default" and >> "inline-signing yes". >> >> The first issue is that my server uses a few views to give different IPs >> based on which network the request comes from. I found that if I point >> the zones in the different views to the same key directory, there are no >> errors and all views return the same keys when I test with dig. So this >> appears to work. Are there any gotchas that might come up with this setup? > > I think this will work because the key files include the zone name, so they > will be unique. > >> >> The second issue is that I have multiple zones that all point to the >> same file since those domains all go to the same set of servers. Right >> now, I am using the same zone file for all of them. This works fine >> currently, but when I try to enable DNSSEC for those domains, I get an >> error "writable file ... already in use". The simple answer would be to >> make a unique file for each zone, however I would rather keep a single >> file updated instead of having to make changes to all of the individual >> files whenever something changes with those servers. So far, the only >> other solution I've found is to manage the keys manually, which seems to >> add quite a bit of complexity to the setup. Is there a better way to do >> this? > > I am using "in-view" so I only have one copy of the zone in memory and on > disk. > In the 'oncampus' view: > zone "umich.edu <http://umich.edu/>" { > type slave; > file "oncampus/edu.umich"; > masters { > "DNS123"; > }; > }; > > And in the other view: > zone "umich.edu <http://umich.edu/>" { > in-view "oncampus"; > }; > > -- > Bob Harold > >> >> Thanks, >> >> Bowie >> > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
