Re: Piggybacking on a zone’s dnssec-policy using auto-dnssec: How can one do this after Bind 9.19?
Nick Tait
nick at tait.net.nz
Mon Apr 17 10:20:45 UTC 2023
On 17/04/23 09:08, Andrej Podzimek via bind-users wrote:
> The easiest (?) way to make DNSSEC work in all views has been to keep
> a dnssec-policy for zones in *one* of the views (to generate and
> maintain keys) and then passively refer to the keys from the zones’
> counterparts in other views using auto-dnssec. \o/
Hi Andrej.
I think you might be over-complicating this? I use multiple views that
define the same DNSSEC-signed zone, and I refer to the same
dnssec-policy (i.e. the 'real' policy that does the rollovers) in each
one. Admittedly I've only recently enabled automated ZSK roll-overs, but
my understanding (based on others asking questions about this) is that
recent versions of BIND are clever enough to recognise that the same
keys apply to both versions of the zone, so it doesn't trip over itself
when rolling keys.
See: https://www.mail-archive.com/bind-users@lists.isc.org/msg28526.html
Just make sure you aren't using an ancient version of BIND! :-)
Nick.
More information about the bind-users
mailing list