dnssec-policy & views

Matthijs Mekking matthijs at isc.org
Tue Mar 3 07:01:44 UTC 2020

Hi Graham,

On 2/29/20 5:27 PM, Graham Clinch wrote:
> How does the new-in-9.16 dnssec-policy interact with views - in
> particular for key generation/rollover?
> For example, we have a zone defined in multiple views with different
> contents (and thus not suitable for in-view), being signed by the same
> set of keys (currently maintained by dnssec-keymgr) - this allows us to
> publish only a single set of DS records for that zone.
> If a zone 'example.net' is defined in view 'a', and a zone 'example.net'
> is defined in view 'b', but both views share a single key-directory, is
> it 'safe' to configure dnssec-policy in both views?

Thanks for sharing your use case. I tried it and it is unsafe to do so
in 9.16.0.

The dnssec-policy does not take into account shared keys. But with views
you sort of implicitly have shared keys because you have multiple
versions of the zone. In the current code there is a race condition on
running key management on the different versions of the zone which may
result in too many keys.

I created an issue for this bug:


And I have a proposed fix for it. It may make the 9.16.1 release,
otherwise 9.16.2. With this fix you should be able to safely configure
dnssec-policy for a zone in multiple views, sharing the same set of keys.

Best regards,


> Graham
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20200303/7f19b0c8/attachment.bin>

More information about the bind-users mailing list