Re: KASP: sharing policy and keys between views
Hi Carsten.I've been running split views with a DNSSEC zone using dnssec-policy for at least a couple of years.I'm using a CSK (i.e. combined KSK+ZSK) and haven't yet worked out the best way to automate key rollover wrt DS in parent zone, so my key rollovers are manual currently. Consequently I've only done a key rollover a couple of time in that period.But this setup has been working fine for me the whole time.Nick. Original message From: Matthijs Mekking Date: 18/03/23 3:43 AM (GMT+12:00) To: bind-users@lists.isc.org Subject: Re: KASP: sharing policy and keys between views Hi Carsten,We did have some bugs in the past when it comes to sharing keys with dnssec-policy among different views. But the last one is from a year ago (fixed in 9.16.19).So while I don't have experience myself with a similar setup, we did have some bug reports that used dnssec-policy and views that have been resolved and it has been quiet when it comes to "dnssec-policy with views" related bug reports.Now that doesn't mean there are none, but hopefully adds a bit of confidence.Best regards, MatthijsOn 3/17/23 11:46, Carsten Strotmann via bind-users wrote:> Hi,> > (please do not start a discussion on the usefulness of views. I'm not> in favor of views, but sometimes I have to work with them).> > I have a client that runs a split horizon (internal / external view> of the same domain namespace) setup with BIND 9 on Linux.> > Both the internal and external views of the domain are DNSSEC> signed.> > In the past, the setup was using "auto-dnssec maintain;" on a common,> shared key directory with manually created keys. Both zones in both> views fetched the keys and did the signing. This setup was stable and> working fine.> > Because "auto-dnssec maintain;" is deprecated, we're evaluating to> change the setup to use a shared DNSSEC KASP definition, pointing to> the same key directory (using shared keys and a shared state file).> > The test setup runs without issues for one month now and has> successfully done 3 ZSK rollovers in the time (KSK rollovers are> manual). So it *seems* like a working configuration. We have not seen> errors or race-conditions (but we might have been lucky).> > Does anyone here has experience with a similar setup, or deeper> insight into the code and can tell me if this is a possible solution> to operate a DNSSEC signed split horizon setup?> > Greetings> > Carsten Strotmann> > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this listISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.bind-users mailing listbind-us...@lists.isc.orghttps://lists.isc.org/mailman/listinfo/bind-users-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: KASP: sharing policy and keys between views
Hi Carsten, We did have some bugs in the past when it comes to sharing keys with dnssec-policy among different views. But the last one is from a year ago (fixed in 9.16.19). So while I don't have experience myself with a similar setup, we did have some bug reports that used dnssec-policy and views that have been resolved and it has been quiet when it comes to "dnssec-policy with views" related bug reports. Now that doesn't mean there are none, but hopefully adds a bit of confidence. Best regards, Matthijs On 3/17/23 11:46, Carsten Strotmann via bind-users wrote: Hi, (please do not start a discussion on the usefulness of views. I'm not in favor of views, but sometimes I have to work with them). I have a client that runs a split horizon (internal / external view of the same domain namespace) setup with BIND 9 on Linux. Both the internal and external views of the domain are DNSSEC signed. In the past, the setup was using "auto-dnssec maintain;" on a common, shared key directory with manually created keys. Both zones in both views fetched the keys and did the signing. This setup was stable and working fine. Because "auto-dnssec maintain;" is deprecated, we're evaluating to change the setup to use a shared DNSSEC KASP definition, pointing to the same key directory (using shared keys and a shared state file). The test setup runs without issues for one month now and has successfully done 3 ZSK rollovers in the time (KSK rollovers are manual). So it *seems* like a working configuration. We have not seen errors or race-conditions (but we might have been lucky). Does anyone here has experience with a similar setup, or deeper insight into the code and can tell me if this is a possible solution to operate a DNSSEC signed split horizon setup? Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
KASP: sharing policy and keys between views
Hi, (please do not start a discussion on the usefulness of views. I'm not in favor of views, but sometimes I have to work with them). I have a client that runs a split horizon (internal / external view of the same domain namespace) setup with BIND 9 on Linux. Both the internal and external views of the domain are DNSSEC signed. In the past, the setup was using "auto-dnssec maintain;" on a common, shared key directory with manually created keys. Both zones in both views fetched the keys and did the signing. This setup was stable and working fine. Because "auto-dnssec maintain;" is deprecated, we're evaluating to change the setup to use a shared DNSSEC KASP definition, pointing to the same key directory (using shared keys and a shared state file). The test setup runs without issues for one month now and has successfully done 3 ZSK rollovers in the time (KSK rollovers are manual). So it *seems* like a working configuration. We have not seen errors or race-conditions (but we might have been lucky). Does anyone here has experience with a similar setup, or deeper insight into the code and can tell me if this is a possible solution to operate a DNSSEC signed split horizon setup? Greetings Carsten Strotmann -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users