DNSSEC with views and shared zone files

Fri Oct 18 22:19:38 UTC 2024

On 19/10/2024 05:50, Bowie Bailey via bind-users wrote:
> On 10/18/2024 12:07 PM, Bob Harold wrote:
>> On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users 
>> <bind-users at lists.isc.org> wrote:
>>
>>     I am finally getting around to setting up DNSSEC on my server (Bind
>>     9.16).  I found some instructions online and was able to set up
>>     one of
>>     my zones and confirm that the keys are being returned. However,
>>     after
>>     doing a bit more testing I ran into a couple of issues.
>>
>>     I am using the recommended setup with the "dnssec-policy default"
>>     and
>>     "inline-signing yes".
>>
>>     The first issue is that my server uses a few views to give
>>     different IPs
>>     based on which network the request comes from.  I found that if I
>>     point
>>     the zones in the different views to the same key directory, there
>>     are no
>>     errors and all views return the same keys when I test with dig. 
>>     So this
>>     appears to work.  Are there any gotchas that might come up with
>>     this setup?
>>
>> I think this will work because the key files include the zone name, 
>> so they will be unique.
I've been doing the same for years and never had any issues.
>>
>>
>>     The second issue is that I have multiple zones that all point to the
>>     same file since those domains all go to the same set of servers.
>>     Right
>>     now, I am using the same zone file for all of them.  This works fine
>>     currently, but when I try to enable DNSSEC for those domains, I
>>     get an
>>     error "writable file ... already in use".  The simple answer
>>     would be to
>>     make a unique file for each zone, however I would rather keep a
>>     single
>>     file updated instead of having to make changes to all of the
>>     individual
>>     files whenever something changes with those servers.  So far, the
>>     only
>>     other solution I've found is to manage the keys manually, which
>>     seems to
>>     add quite a bit of complexity to the setup.  Is there a better
>>     way to do
>>     this?
>>
>>
>> I am using "in-view" so I only have one copy of the zone in memory 
>> and on disk.
>> In the 'oncampus' view:
>> zone "umich.edu <http://umich.edu>" {
>>     type slave;
>>     file "oncampus/edu.umich";
>>     masters {
>>        "DNS123";
>>    };
>> };
>>
>> And in the other view:
>>  zone "umich.edu <http://umich.edu>" {
>>        in-view "oncampus";
>> };
>
> This isn't quite the same as my setup.  I don't think there are any 
> files shared between views.  The issue is that within one view, 
> multiple zones will point to the same file.  For example:
>
> zone "test.com" {
>     type master;
>     file "db.test.com";
> };
> zone "test2.com" {
>     type master;
>     file "db.test.com";
> };
>
> I would like to have DNSSEC active on both domains, but since they are 
> sharing a file, Bind complains about it.

If you are using Linux, I'd suggest looking at using filesystem links so 
that you can have separate files that share the same content. (See "man 
ln".)

Nick.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241019/5e5b7bc9/attachment.htm>