<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<div class="moz-cite-prefix">On 10/18/2024 12:07 PM, Bob Harold
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CA+nkc8BOusQvo=hLTKRWioSfJA74WPwBw1gwLo5TtSC54d=1Rg@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="ltr">
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr">
<div><br>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Fri, Oct 18, 2024 at
11:33 AM Bowie Bailey via bind-users <<a
href="mailto:bind-users@lists.isc.org"
moz-do-not-send="true" class="moz-txt-link-freetext">bind-users@lists.isc.org</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">I
am finally getting around to setting up DNSSEC on my server
(Bind <br>
9.16). I found some instructions online and was able to set
up one of <br>
my zones and confirm that the keys are being returned.
However, after <br>
doing a bit more testing I ran into a couple of issues.<br>
<br>
I am using the recommended setup with the "dnssec-policy
default" and <br>
"inline-signing yes".<br>
<br>
The first issue is that my server uses a few views to give
different IPs <br>
based on which network the request comes from. I found that
if I point <br>
the zones in the different views to the same key directory,
there are no <br>
errors and all views return the same keys when I test with
dig. So this <br>
appears to work. Are there any gotchas that might come up
with this setup?<br>
</blockquote>
<div> </div>
<div>I think this will work because the key files include the
zone name, so they will be unique.</div>
<div> </div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
The second issue is that I have multiple zones that all
point to the <br>
same file since those domains all go to the same set of
servers. Right <br>
now, I am using the same zone file for all of them. This
works fine <br>
currently, but when I try to enable DNSSEC for those
domains, I get an <br>
error "writable file ... already in use". The simple answer
would be to <br>
make a unique file for each zone, however I would rather
keep a single <br>
file updated instead of having to make changes to all of the
individual <br>
files whenever something changes with those servers. So
far, the only <br>
other solution I've found is to manage the keys manually,
which seems to <br>
add quite a bit of complexity to the setup. Is there a
better way to do <br>
this?<br>
</blockquote>
<div><br>
</div>
<div>I am using "in-view" so I only have one copy of the zone
in memory and on disk. </div>
<div>In the 'oncampus' view:</div>
<div>zone "<a href="http://umich.edu" moz-do-not-send="true">umich.edu</a>"
{<br>
type slave;<br>
file "oncampus/edu.umich";<br>
masters {<br>
"DNS123";<br>
};<br>
};<br>
</div>
<div><br>
</div>
<div>And in the other view:</div>
<div> zone "<a href="http://umich.edu" moz-do-not-send="true">umich.edu</a>"
{<br>
in-view "oncampus";<br>
};</div>
</div>
</div>
</blockquote>
<br>
This isn't quite the same as my setup. I don't think there are any
files shared between views. The issue is that within one view,
multiple zones will point to the same file. For example:<br>
<br>
zone "test.com" {<br>
type master;<br>
file "db.test.com";<br>
};<br>
zone "test2.com" {<br>
type master;<br>
file "db.test.com";<br>
};<br>
<br>
I would like to have DNSSEC active on both domains, but since they
are sharing a file, Bind complains about it.<br>
<br>
-- <br>
Bowie<br>
</body>
</html>