Hi Václav,

> Is there a practice to share keys between DNS views of the
> same DNZ zone?
ZKT has some rudimentory support of views, but it sadly does not work
with shared keys.

If this is a requirement, please have a look at the signing features
BIND 9.9 provides. I'm pretty sure that this works well together with
shared keys, but for sure, you have to write your own script for key
maintanance, DS update etc.

There is an somewhat old draft [1] describing the different
opportunities for key signing in split-view setups (see chapter 4).

> Pretend I have example.com zone and view "int" and "pub".
> Must be done the job of sharing KSK and ZSK between views by some custom
> script?
Personally, I'm no longer a fan of split-view setups.

The more general approach is to use different zones for internal (eg.
"int.example.com") and public ("example.com") usage. With this kind of
setup it is always obvious with which host you want to communicate
(www.example.com, or www.int.example.com).

And if you "really" want to have the "smartness" of using the same name,
even if you are in the internal or external network, you can setup a
searchlist in the internal network, but this has it's own security flaws.

And if we are talking about IPv6: There is no longer a need for private
address space, and then no need for "private" name space as well.

Best regards


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
zkt-users mailing list

Reply via email to