<div dir="ltr"><div dir="ltr"><div><div dir="ltr" class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div><br></div></div></div></div></div></div></div><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Oct 18, 2024 at 11:33 AM Bowie Bailey via bind-users <<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I am finally getting around to setting up DNSSEC on my server (Bind <br>
9.16). I found some instructions online and was able to set up one of <br>
my zones and confirm that the keys are being returned. However, after <br>
doing a bit more testing I ran into a couple of issues.<br>
<br>
I am using the recommended setup with the "dnssec-policy default" and <br>
"inline-signing yes".<br>
<br>
The first issue is that my server uses a few views to give different IPs <br>
based on which network the request comes from. I found that if I point <br>
the zones in the different views to the same key directory, there are no <br>
errors and all views return the same keys when I test with dig. So this <br>
appears to work. Are there any gotchas that might come up with this setup?<br></blockquote><div> </div><div>I think this will work because the key files include the zone name, so they will be unique.</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The second issue is that I have multiple zones that all point to the <br>
same file since those domains all go to the same set of servers. Right <br>
now, I am using the same zone file for all of them. This works fine <br>
currently, but when I try to enable DNSSEC for those domains, I get an <br>
error "writable file ... already in use". The simple answer would be to <br>
make a unique file for each zone, however I would rather keep a single <br>
file updated instead of having to make changes to all of the individual <br>
files whenever something changes with those servers. So far, the only <br>
other solution I've found is to manage the keys manually, which seems to <br>
add quite a bit of complexity to the setup. Is there a better way to do <br>
this?<br></blockquote><div><br></div><div>I am using "in-view" so I only have one copy of the zone in memory and on disk. </div><div>In the 'oncampus' view:</div><div>zone "<a href="http://umich.edu">umich.edu</a>" {<br> type slave;<br> file "oncampus/edu.umich";<br> masters {<br> "DNS123";<br> };<br> };<br></div><div><br></div><div>And in the other view:</div><div> zone "<a href="http://umich.edu">umich.edu</a>" {<br> in-view "oncampus";<br> };<br></div><div><br></div><div>-- </div><div>Bob Harold</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Thanks,<br>
<br>
Bowie<br><br>
</blockquote></div></div>