On 23. 05. 23 9:33, Gert Doering wrote:
Hi,
On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
This however had the side effect that child zones that are not signed were no
longer resolving
... this statement is not actually correct. Non-signed child zones are
perfectly fine *as long* as there are no DS records for those childs in
the parent. Think ".de" and all the non-signed "$domain.de" zones...
[..]
Are you signing DHCP zones?
Would you recommend (not) doing it?
If you are doing it, how are you doing it?
We're not currently doing it, but that's more a bit of laziness on my
side - our DHCP setup currently uses ISC DHCP, and the zones are hosted
on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS
nsupdate to BIND, and from there, BIND could do "normal" inline signing.
Having DHCP+DNS integrated in dnsmasq makes this more complicated, but
you could theoretically have "a real DNS" server AXFR the zones from
dnsmasq, and then sign them there.
I agree. 'Usual' setup is a DHCP which sends DNS updates to a separate
DNS server and the DNS server takes care of DNSSEC when it receives the
dynamic update.
Besides other things this allows for redundancy both on DHCP and DNS side.
If you want to migrate to another DHCP server then please skip ISC DHCP
(that's basically end-of-life) and go straight to Kea (also by ISC) or
something else.
HTH.
--
Petr Špaček
Internet Systems Consortium
--
To unsubscribe from this mailing list, get a password reminder, or change your
subscription options, please visit:
https://lists.ripe.net/mailman/listinfo/dns-wg
