<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">I am running this setup, it works.<div><br></div><div>My 2 zones are internal and external, so testing from outside can only show one side.</div><div><br id="lineBreakAtBeginningOfMessage"><div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Thanks</div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;"><br></div><div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0); font-family: Helvetica; font-size: 12px; font-style: normal; font-variant-caps: normal; font-weight: normal; letter-spacing: normal; orphans: auto; text-align: start; text-indent: 0px; text-transform: none; white-space: normal; widows: auto; word-spacing: 0px; -webkit-text-size-adjust: auto; -webkit-text-stroke-width: 0px; text-decoration: none;">Sten</div>
</div>
<div><br><blockquote type="cite"><div>On 18 Oct 2024, at 18.07, Bob Harold <rharolde@umich.edu> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><br></div></div></div></div></div></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I am finally getting around to setting up DNSSEC on my server (Bind <br>
9.16). I found some instructions online and was able to set up one of <br>
my zones and confirm that the keys are being returned. However, after <br>
doing a bit more testing I ran into a couple of issues.<br>
<br>
I am using the recommended setup with the "dnssec-policy default" and <br>
"inline-signing yes".<br>
<br>
The first issue is that my server uses a few views to give different IPs <br>
based on which network the request comes from. I found that if I point <br>
the zones in the different views to the same key directory, there are no <br>
errors and all views return the same keys when I test with dig. So this <br>
appears to work. Are there any gotchas that might come up with this setup?<br></blockquote><div> </div><div>I think this will work because the key files include the zone name, so they will be unique.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The second issue is that I have multiple zones that all point to the <br>
same file since those domains all go to the same set of servers. Right <br>
now, I am using the same zone file for all of them. This works fine <br>
currently, but when I try to enable DNSSEC for those domains, I get an <br>
error "writable file ... already in use". The simple answer would be to <br>
make a unique file for each zone, however I would rather keep a single <br>
file updated instead of having to make changes to all of the individual <br>
files whenever something changes with those servers. So far, the only <br>
other solution I've found is to manage the keys manually, which seems to <br>
add quite a bit of complexity to the setup. Is there a better way to do <br>
this?<br></blockquote><div><br></div><div>I am using "in-view" so I only have one copy of the zone in memory and on disk. </div><div>In the 'oncampus' view:</div><div>zone "<a href="http://umich.edu/">umich.edu</a>" {<br> type slave;<br> file "oncampus/edu.umich";<br> masters {<br> "DNS123";<br> };<br> };<br></div><div><br></div><div>And in the other view:</div><div> zone "<a href="http://umich.edu/">umich.edu</a>" {<br> in-view "oncampus";<br> };<br></div><div><br></div><div>-- </div><div>Bob Harold</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Thanks,<br>
<br>
Bowie<br><br>
</blockquote></div></div>
-- <br>Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list<br><br>ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.<br><br><br>bind-users mailing list<br>bind-users@lists.isc.org<br>https://lists.isc.org/mailman/listinfo/bind-users<br></div></blockquote></div><br></div></body></html>