<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 26/05/22 20:34, Matthijs Mekking
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:e8d78ac8-a380-5587-7d07-6f3a3c9f2d0c@isc.org">What
version are you using? We had a bug with dnssec-policy and views
(#2463), but that has been fixed.
<br>
<br>
Since 9.16.18 you should not be able to set the same key-directory
for the same zone in different views.
</blockquote>
<p>Hi Matthijs.</p>
<p>You got me worried just then because for several years I have
been using a split DNS set-up, with the same zone defined in two
different views which share a common keys directory. And then
about a month ago I upgraded from 9.16.something to 9.18.1.<br>
</p>
<p>But I've managed to find the release note that I think you're
referring to. From
<a class="moz-txt-link-freetext" href="https://downloads.isc.org/isc/bind9/9.16.29/doc/arm/html/notes.html#id24">https://downloads.isc.org/isc/bind9/9.16.29/doc/arm/html/notes.html#id24</a>
:</p>
<blockquote>
<p>Zones which are configured in multiple views, with different
values
set for <code class="docutils literal notranslate"><span
class="pre">dnssec-policy</span></code> and with identical
values set for
<code class="docutils literal notranslate"><span class="pre">key-directory</span></code>,
are now detected and treated as a configuration
error. <span class="target" id="index-64"></span><a class="gl
reference external"
href="https://gitlab.isc.org/isc-projects/bind9/-/issues/2463"><strong>[GL
#2463]</strong></a></p>
</blockquote>
<p>So based on this it would seem that it is OK for two views to
define the same DNSSEC zone and share the same keys directory, <b>as
long as they are using the same dnssec-policy</b>?</p>
<p>Please advise if I've got that wrong?</p>
<p>Thanks,</p>
<p>Nick.<br>
</p>
</body>
</html>