Hi, On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote: > This however had the side effect that child zones that are not signed were no > longer resolving
... this statement is not actually correct. Non-signed child zones are
perfectly fine *as long* as there are no DS records for those childs in
the parent. Think ".de" and all the non-signed "$domain.de" zones...
[..]
> Are you signing DHCP zones?
> Would you recommend (not) doing it?
> If you are doing it, how are you doing it?
We're not currently doing it, but that's more a bit of laziness on my
side - our DHCP setup currently uses ISC DHCP, and the zones are hosted
on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS
nsupdate to BIND, and from there, BIND could do "normal" inline signing.
Having DHCP+DNS integrated in dnsmasq makes this more complicated, but
you could theoretically have "a real DNS" server AXFR the zones from
dnsmasq, and then sign them there.
Gert Doering
-- NetMaster
--
have you enabled IPv6 on something today...?
SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279
signature.asc
Description: PGP signature
-- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
