Primary zone not fully maintained by BIND
Matthijs Mekking
matthijs at isc.org
Fri May 27 14:07:40 UTC 2022
Nick,
On 27-05-2022 10:27, Nick Tait via bind-users wrote:
> On 26/05/22 20:34, Matthijs Mekking wrote:
>> What version are you using? We had a bug with dnssec-policy and views
>> (#2463), but that has been fixed.
>>
>> Since 9.16.18 you should not be able to set the same key-directory for
>> the same zone in different views.
>
> Hi Matthijs.
>
> You got me worried just then because for several years I have been using
> a split DNS set-up, with the same zone defined in two different views
> which share a common keys directory. And then about a month ago I
> upgraded from 9.16.something to 9.18.1.
>
> But I've managed to find the release note that I think you're referring
> to. From
> https://downloads.isc.org/isc/bind9/9.16.29/doc/arm/html/notes.html#id24 :
>
> Zones which are configured in multiple views, with different values
> set for |dnssec-policy| and with identical values set for
> |key-directory|, are now detected and treated as a configuration
> error. *[GL #2463]*
> <https://gitlab.isc.org/isc-projects/bind9/-/issues/2463>
>
> So based on this it would seem that it is OK for two views to define the
> same DNSSEC zone and share the same keys directory, *as long as they are
> using the same dnssec-policy*?
That is correct. Since key files don't have views in their name, each
key in the key-directory corresponds to all zones with the same name,
regardless the view. Having a *different* policy causes continuously
mismatches between what keys are in use for a certain zone and what is
expected according to its policy.
Having the same policy for each zone per view should work fine*.
Best regards,
Matthijs
*With Sandro's case being investigated at the moment.
>
> Please advise if I've got that wrong?
>
> Thanks,
>
> Nick.
>
>
More information about the bind-users
mailing list