DNSSEC with views and shared zone files

Fri Oct 18 18:50:49 UTC 2024

-- 
Best regards 
Sten Carlsen 

A pessimist is a person that can find a problem for every solution.

> On 18 Oct 2024, at 18.50, Bowie Bailey via bind-users <bind-users at lists.isc.org> wrote:
> 
> On 10/18/2024 12:07 PM, Bob Harold wrote:
>> 
>> On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org>> wrote:
>>> I am finally getting around to setting up DNSSEC on my server (Bind 
>>> 9.16).  I found some instructions online and was able to set up one of 
>>> my zones and confirm that the keys are being returned.  However, after 
>>> doing a bit more testing I ran into a couple of issues.
>>> 
>>> I am using the recommended setup with the "dnssec-policy default" and 
>>> "inline-signing yes".
>>> 
>>> The first issue is that my server uses a few views to give different IPs 
>>> based on which network the request comes from.  I found that if I point 
>>> the zones in the different views to the same key directory, there are no 
>>> errors and all views return the same keys when I test with dig.  So this 
>>> appears to work.  Are there any gotchas that might come up with this setup?
>>  
>> I think this will work because the key files include the zone name, so they will be unique.
>>  
>>> 
>>> The second issue is that I have multiple zones that all point to the 
>>> same file since those domains all go to the same set of servers. Right 
>>> now, I am using the same zone file for all of them.  This works fine 
>>> currently, but when I try to enable DNSSEC for those domains, I get an 
>>> error "writable file ... already in use".  The simple answer would be to 
>>> make a unique file for each zone, however I would rather keep a single 
>>> file updated instead of having to make changes to all of the individual 
>>> files whenever something changes with those servers.  So far, the only 
>>> other solution I've found is to manage the keys manually, which seems to 
>>> add quite a bit of complexity to the setup.  Is there a better way to do 
>>> this?
>> 
>> I am using "in-view" so I only have one copy of the zone in memory and on disk.  
>> In the 'oncampus' view:
>> zone "umich.edu <http://umich.edu/>" {
>>     type slave;
>>     file "oncampus/edu.umich";
>>     masters {
>>        "DNS123";
>>    };
>> };
>> 
>> And in the other view:
>>  zone "umich.edu <http://umich.edu/>" {
>>        in-view "oncampus";
>> };
> 
> This isn't quite the same as my setup.  I don't think there are any files shared between views.  The issue is that within one view, multiple zones will point to the same file.  For example:

This could be a problem, in my setup all zones have their own files, no sharing of files.

I think I do remember advice against sharing files.

> 
> zone "test.com" {
>     type master;
>     file "db.test.com";
> };
> zone "test2.com" {
>     type master;
>     file "db.test.com";
> };
> 
> I would like to have DNSSEC active on both domains, but since they are sharing a file, Bind complains about it.
> 
> -- 
> Bowie
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241018/614f1e13/attachment-0001.htm>