On 10/18/2024 6:19 PM, Nick Tait via bind-users wrote:
On 19/10/2024 05:50, Bowie Bailey via bind-users wrote:
On 10/18/2024 12:07 PM, Bob Harold wrote:
On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users
<bind-users@lists.isc.org> wrote:
The first issue is that my server uses a few views to give
different IPs
based on which network the request comes from. I found that if
I point
the zones in the different views to the same key directory,
there are no
errors and all views return the same keys when I test with dig.
So this
appears to work. Are there any gotchas that might come up with
this setup?
I think this will work because the key files include the zone name,
so they will be unique.
I've been doing the same for years and never had any issues.
Good to know.
The second issue is that I have multiple zones that all point to
the
same file since those domains all go to the same set of servers.
Right
now, I am using the same zone file for all of them. This works fine
currently, but when I try to enable DNSSEC for those domains, I
get an
error "writable file ... already in use". The simple answer
would be to
make a unique file for each zone, however I would rather keep a
single
file updated instead of having to make changes to all of the
individual
files whenever something changes with those servers. So far,
the only
other solution I've found is to manage the keys manually, which
seems to
add quite a bit of complexity to the setup. Is there a better
way to do
this?
zone "test.com" {
type master;
file "db.test.com";
};
zone "test2.com" {
type master;
file "db.test.com";
};
I would like to have DNSSEC active on both domains, but since they
are sharing a file, Bind complains about it.
If you are using Linux, I'd suggest looking at using filesystem links
so that you can have separate files that share the same content. (See
"man ln".)
That is an interesting idea. I'm familiar with hard links, but I hadn't
considered using them here. My other idea was copying one of the zone
files to a "master" file and then $INCLUDING that file in each of the
individual zone files. I'm not sure if bind will let me put the SOA
into an include. I'll do some testing on both options later today and
see what works.
--
Bowie
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
