-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Scott,
> If I have a different view for external (from the Internet) queries, than > for internal queries (from my own network), does anyone know if it is > possible to sign different views with ods? Principally, this could be done. The only link from the parent zone to the two versions of child zone are the DS records that point to the DNSKEYs. You will want to use the same DNSKEYs in both views, at least the KSKs (marked with 257 flags) should match. The practical way with OpenDNSSEC is probably to setup one policy into which both zones are important, and to set <SharedKeys/> for that policy. That way, the keys are properly shared. The problem that I expect you will run into, is that you would have two zones with the same name in one OpenDNSSEC instance. And it'd have to be one instance, if you want to continue sharing the KSKs. No idea if this could be considered a "feature" to add, it's a bit of a stretch... So, here's another scenario. You would create two separate instances of OpenDNSSEC, each signing a version of the zone. They also create their own KSKs and roll them independently. Then, using the possibility to enter multiple DS's into the parent zone, you would simply add one for each in your parent. Be sure to use the exact same set of algorithms (probably just RSA-SHA1 and/or RSA-SHA256) on both zones, or else you will see failures -- for each algorithm there must be a valid trace from parent to child; even if you (i.c. BIND) don't check it, someone else (i.c. Unbound) will. The ugly bit of this is that everyone would see your internal zone's DS, assuming that you didn't split the parent as well :) So, here's a third scenario. You could just setup an internal zone (and wonder if it needs signing, when you can trust your LAN) and specify in your resolvers (who probably are behind the same perimeter) the secure entry point of your choice for the internal view of the zone. Pfew, this is complicated -- and fun :) I hope I made some sense to you with these suggestions. Cheers, Rick van Rein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2.2 (GNU/Linux) Comment: New to PGP? http://openfortress.nl/doc/essay/OpenPGP/index.nl.html iD8DBQFOqB2zFBGpwol1RgYRAg9zAJ92VgBMK9UvMRHSSLKGBdChYD47/wCfZ9Kv s29fv5fhXTpZ9th3c3qmD2o= =VDU3 -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
