DNSSEC with views and shared zone files

Fri Oct 18 16:50:21 UTC 2024

On 10/18/2024 12:07 PM, Bob Harold wrote:
>
> On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users 
> <bind-users at lists.isc.org> wrote:
>
>     I am finally getting around to setting up DNSSEC on my server (Bind
>     9.16).  I found some instructions online and was able to set up
>     one of
>     my zones and confirm that the keys are being returned. However, after
>     doing a bit more testing I ran into a couple of issues.
>
>     I am using the recommended setup with the "dnssec-policy default" and
>     "inline-signing yes".
>
>     The first issue is that my server uses a few views to give
>     different IPs
>     based on which network the request comes from.  I found that if I
>     point
>     the zones in the different views to the same key directory, there
>     are no
>     errors and all views return the same keys when I test with dig. 
>     So this
>     appears to work.  Are there any gotchas that might come up with
>     this setup?
>
> I think this will work because the key files include the zone name, so 
> they will be unique.
>
>
>     The second issue is that I have multiple zones that all point to the
>     same file since those domains all go to the same set of servers.
>     Right
>     now, I am using the same zone file for all of them.  This works fine
>     currently, but when I try to enable DNSSEC for those domains, I
>     get an
>     error "writable file ... already in use".  The simple answer would
>     be to
>     make a unique file for each zone, however I would rather keep a
>     single
>     file updated instead of having to make changes to all of the
>     individual
>     files whenever something changes with those servers.  So far, the
>     only
>     other solution I've found is to manage the keys manually, which
>     seems to
>     add quite a bit of complexity to the setup.  Is there a better way
>     to do
>     this?
>
>
> I am using "in-view" so I only have one copy of the zone in memory and 
> on disk.
> In the 'oncampus' view:
> zone "umich.edu <http://umich.edu>" {
>     type slave;
>     file "oncampus/edu.umich";
>     masters {
>        "DNS123";
>    };
> };
>
> And in the other view:
>  zone "umich.edu <http://umich.edu>" {
>        in-view "oncampus";
> };

This isn't quite the same as my setup.  I don't think there are any 
files shared between views.  The issue is that within one view, multiple 
zones will point to the same file.  For example:

zone "test.com" {
     type master;
     file "db.test.com";
};
zone "test2.com" {
     type master;
     file "db.test.com";
};

I would like to have DNSSEC active on both domains, but since they are 
sharing a file, Bind complains about it.

-- 
Bowie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241018/cb767f03/attachment-0001.htm>