Op ma 22 mei , Julian Fölsch <[julian.foel...@agdsn.de](mailto:Op ma 22 mei ,
Julian Fölsch <<a href=)> schreef:
> This however had the side effect that child zones that are not signed were no
> longer resolving so I thought "Lets just sign them. Can't be that hard,
> right?"
Verifiably-insecure delegations (a zone cut with no DS records on the parent
side) should not be a problem to resolve through a validating resolver. You
shouldn't have to sign your child zones to make them work. It seems possible
that something else was wrong?
> I was very wrong.
> One of the child zones is for hosts using DHCP and is managed by dnsmasq that
> unfortunately can't sign the zone.
> But it can do zone transfers.
> So we tried a setup using opendnssec as a signing proxy that transfers the
> zone to an unbound.
> Unfortunately this has proven unreliable at best and broken at worst so I am
> looking to replace that.
There are a variety of other DNSSEC signers that can act as "bump in the wire"
signers (where the "wire" is [AI]XFR). There are people who actually write that
kind of software on this list and my hands-on with this stuff is a bit long in
the tooth, so I won't try to speak for any of them.
> I was just looking around for a DHCP server that directly can sign the zone
> but I was unable to find something so far.
> So I was wondering how other people are doing this.
>
> Are you signing DHCP zones?
> Would you recommend (not) doing it?
> If you are doing it, how are you doing it?
It used to be quite common to glue DHCP servers to the DNS using dynamic
updates, so that a DHCP server sends a DNS UPDATE when it wants to add or drop
a binding to an address. If the DNS server handling the DNS UPDATE requests can
also act as a DNSSEC signer, that might work for you. I have set up BIND9 like
that before and it was fairly painless.
Joe
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
