On 03.10.2013 10:25, Havard Eidnes wrote:
For some zones I have multiple views with different content.
How can I configure this in OpenDNSSec in combination with SoftHSM?
My opinion: I think you are stretching the DNS model too far by
trying to do this.
But ... if you really want the associated pain, I suspect you
will have to operate with two different OpenDNSSEC instances, one
signing the public version, one signing the "other (internal?)
view".
You do of course need to ensure that any validating resolvers are
not exposed to a mixed world view, picking up data from both of
the two distinct views.
I think it also would make sense to use the same keys on both ODS
instances to have a common trust anchor in the parent zone (eg. ODS1
creates keys in SoftHSM, runs the ods-enforcer, and runs the ods-signer.
Sync the SoftHSM and the KASP DB to ODS2 and on ODS2 only run the
ods-signer. I think this should work), or put the fingerprint of both
KSKs into the parent zone.
regards
Klaus
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
