Re: KASP: sharing policy and keys between views

Fri, 17 Mar 2023 07:43:18 -0700 

Hi Carsten,
We did have some bugs in the past when it comes to sharing keys with dnssec-policy among different views. But the last one is from a year ago (fixed in 9.16.19). 


So while I don't have experience myself with a similar setup, we did 
have some bug reports that used dnssec-policy and views that have been 
resolved and it has been quiet when it comes to "dnssec-policy with 
views" related bug reports.



Now that doesn't mean there are none, but hopefully adds a bit of 
confidence.


Best regards,
  Matthijs


On 3/17/23 11:46, Carsten Strotmann via bind-users wrote:

Hi,

(please do not start a discussion on the usefulness of views. I'm not
in favor of views, but sometimes I have to work with them).

I have a client that runs a split horizon (internal / external view
of the same domain namespace) setup with BIND 9 on Linux.

Both the internal and external views of the domain are DNSSEC
signed.

In the past, the setup was using "auto-dnssec maintain;" on a common,
shared key directory with manually created keys. Both zones in both
views fetched the keys and did the signing. This setup was stable and
working fine.

Because "auto-dnssec maintain;" is deprecated, we're evaluating to
change the setup to use a shared DNSSEC KASP definition, pointing to
the same key directory (using shared keys and a shared state file).

The test setup runs without issues for one month now and has
successfully done 3 ZSK rollovers in the time (KSK rollovers are
manual). So it *seems* like a working configuration. We have not seen
errors or race-conditions (but we might have been lucky).

Does anyone here has experience with a similar setup, or deeper
insight into the code and can tell me if this is a possible solution
to operate a DNSSEC signed split horizon setup?

Greetings

Carsten Strotmann



--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to