Hi, (please do not start a discussion on the usefulness of views. I'm not in favor of views, but sometimes I have to work with them).
I have a client that runs a split horizon (internal / external view of the same domain namespace) setup with BIND 9 on Linux. Both the internal and external views of the domain are DNSSEC signed. In the past, the setup was using "auto-dnssec maintain;" on a common, shared key directory with manually created keys. Both zones in both views fetched the keys and did the signing. This setup was stable and working fine. Because "auto-dnssec maintain;" is deprecated, we're evaluating to change the setup to use a shared DNSSEC KASP definition, pointing to the same key directory (using shared keys and a shared state file). The test setup runs without issues for one month now and has successfully done 3 ZSK rollovers in the time (KSK rollovers are manual). So it *seems* like a working configuration. We have not seen errors or race-conditions (but we might have been lucky). Does anyone here has experience with a similar setup, or deeper insight into the code and can tell me if this is a possible solution to operate a DNSSEC signed split horizon setup? Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
