DNSSEC with views and shared zone files

Tue Oct 22 15:33:23 UTC 2024

On 10/21/2024 9:35 AM, Bowie Bailey via bind-users wrote:
> On 10/18/2024 6:19 PM, Nick Tait via bind-users wrote:
>> On 19/10/2024 05:50, Bowie Bailey via bind-users wrote:
>>> On 10/18/2024 12:07 PM, Bob Harold wrote:
>>>> On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users 
>>>> <bind-users at lists.isc.org> wrote:
>>>>
>>>>     The second issue is that I have multiple zones that all point
>>>>     to the
>>>>     same file since those domains all go to the same set of
>>>>     servers. Right
>>>>     now, I am using the same zone file for all of them. This works
>>>>     fine
>>>>     currently, but when I try to enable DNSSEC for those domains, I
>>>>     get an
>>>>     error "writable file ... already in use".  The simple answer
>>>>     would be to
>>>>     make a unique file for each zone, however I would rather keep a
>>>>     single
>>>>     file updated instead of having to make changes to all of the
>>>>     individual
>>>>     files whenever something changes with those servers. So far,
>>>>     the only
>>>>     other solution I've found is to manage the keys manually, which
>>>>     seems to
>>>>     add quite a bit of complexity to the setup.  Is there a better
>>>>     way to do
>>>>     this?
>>>>
>>>>
>>>>
>>> zone "test.com" {
>>>     type master;
>>>     file "db.test.com";
>>> };
>>> zone "test2.com" {
>>>     type master;
>>>     file "db.test.com";
>>> };
>>>
>>> I would like to have DNSSEC active on both domains, but since they 
>>> are sharing a file, Bind complains about it.
>>
>> If you are using Linux, I'd suggest looking at using filesystem links 
>> so that you can have separate files that share the same content. (See 
>> "man ln".)
>>
>
> That is an interesting idea.  I'm familiar with hard links, but I 
> hadn't considered using them here.  My other idea was copying one of 
> the zone files to a "master" file and then $INCLUDING that file in 
> each of the individual zone files.  I'm not sure if bind will let me 
> put the SOA into an include.  I'll do some testing on both options 
> later today and see what works.

Just a followup here for anyone who finds this thread later.

I did some testing and both options seem to work.  I haven't updated my 
live domains or sent key info to the registrar yet, but everything looks 
good on my test domains.

Hardlinking the files together worked fine with no errors at all. 
Softlinks to a master file also worked just fine.

Creating zone files that just say "$INCLUDE db.master" with no other 
content and having the SOA and everything else in db.master also works.  
I will probably go with either $INCLUDE or softlinks rather than 
hardlinks.  Hardlinks are hard to distinguish from separate files on 
first glance, which could lead to mistakes later on.

Apparently, the only requirement is that the zone files have unique 
names for DNSSEC.  It doesn't seem to care about them otherwise.

I am somewhat surprised that I was able to have the SOA in an include 
file.  I was expecting Bind to throw an error on that even without the 
DNSSEC processing.

Thanks for the comments and suggestions everyone!

-- 
Bowie
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20241022/61929e8d/attachment.htm>