DNSSEC, views & trusted keys...

Phil Mayers p.mayers at imperial.ac.uk
Fri Sep 10 06:43:24 UTC 2010

On 09/10/2010 03:05 AM, Mark Andrews wrote:
> In message<4C891404.3000203 at imperial.ac.uk>, Phil Mayers writes:
>> On 09/09/2010 03:45 PM, Timothe Litt wrote:
>>> There is other advice in the ARM that says to put 'your organization's
>>> public keys in the trusted-keys list'.  That doesn't help - and in fact,
>>> confuses me even more since example.net has TWO different public keys - one
>>> for each view.  And trusted-keys is a global server option...
>>> I must be missing something.
>> I don't think so. Currently AFAICT bind will not set AD on authoritative
>> zones, with any combination of options.

> Add a match-recursion-only view;

Sure; that's the "right" thing, but then bind will presumably consume 
more RAM - RAM to load the authoritative zones in the internal/external 
views, and RAM to cache them in the recursive view? The OP was 
explicitly unwilling to suffer this penalty as I understood it.

TBH I have some sympathy with the OPs issue; we like to slave our zones 
to our recursive resolvers, so that when we make updates to our zones 
(via DDNS, every few minutes) IXFR will keep them in-sync without 
waiting for TTLs to expire. But then we can't get the "ad" bit.

It would be nice if there were a feature sort of like attach-cache, but 
for master zones, so that a recursive view could be told to a) skip the 
network lookup, and fetch the data direct from view N and b) never cache 
the result.

More information about the bind-users mailing list