KASP: sharing policy and keys between views
Matthijs Mekking
matthijs at isc.org
Fri Mar 17 14:42:34 UTC 2023
Hi Carsten,
We did have some bugs in the past when it comes to sharing keys with
dnssec-policy among different views. But the last one is from a year ago
(fixed in 9.16.19).
So while I don't have experience myself with a similar setup, we did
have some bug reports that used dnssec-policy and views that have been
resolved and it has been quiet when it comes to "dnssec-policy with
views" related bug reports.
Now that doesn't mean there are none, but hopefully adds a bit of
confidence.
Best regards,
Matthijs
On 3/17/23 11:46, Carsten Strotmann via bind-users wrote:
> Hi,
>
> (please do not start a discussion on the usefulness of views. I'm not
> in favor of views, but sometimes I have to work with them).
>
> I have a client that runs a split horizon (internal / external view
> of the same domain namespace) setup with BIND 9 on Linux.
>
> Both the internal and external views of the domain are DNSSEC
> signed.
>
> In the past, the setup was using "auto-dnssec maintain;" on a common,
> shared key directory with manually created keys. Both zones in both
> views fetched the keys and did the signing. This setup was stable and
> working fine.
>
> Because "auto-dnssec maintain;" is deprecated, we're evaluating to
> change the setup to use a shared DNSSEC KASP definition, pointing to
> the same key directory (using shared keys and a shared state file).
>
> The test setup runs without issues for one month now and has
> successfully done 3 ZSK rollovers in the time (KSK rollovers are
> manual). So it *seems* like a working configuration. We have not seen
> errors or race-conditions (but we might have been lucky).
>
> Does anyone here has experience with a similar setup, or deeper
> insight into the code and can tell me if this is a possible solution
> to operate a DNSSEC signed split horizon setup?
>
> Greetings
>
> Carsten Strotmann
>
>
More information about the bind-users
mailing list