dnssec-lookaside auto and managed-keys-zone problem with certain views
Evan Hunt
each at isc.org
Mon Jul 19 00:05:03 UTC 2010
> Well, it's a better work around than what I have been doing, but not
> having the RFC 5011 behaviour is quite a disappointment. Now I have
> presentiments of disaster should the DLV key have to be rolled for
> whatever reason.
Sorry, I misunderstood your question--I thought you wanted to know how
to use DLV without having a managed-keys zone created at all.
In 9.7.1 and above, you can use "managed-keys" statements at the view level
as well as globally. (This was a known limitation in 9.7.0.) You can also
use "dnssec-lookaside auto" at the view level.
You'll want to set a "managed-keys-directory" option. For example:
options {
...
managed-keys-directory "managed-keys";
};
view external {
match-clients { ... };
dnssec-lookaside auto;
...
};
Make sure you create the "managed-keys" directory within the working
directory for the named process, and that it's writable. Each view
using this feature will create a separate file to store key data, and
the filenames they use are... well, let's just say "unwieldy". Best
to segregate them into a directory where you don't have to look at them.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list