Hi Holger,

On Thu, Feb 19, 2015 at 05:56:59PM +0100, Holger Zuleger wrote:
> > Is there a practice to share keys between DNS views of the
> > same DNZ zone?
> ZKT has some rudimentory support of views, but it sadly does not work
> with shared keys.

I was afraid of this.

> If this is a requirement, please have a look at the signing features
> BIND 9.9 provides. I'm pretty sure that this works well together with
> shared keys, but for sure, you have to write your own script for key
> maintanance, DS update etc.

Yes, I'm already experimenting with this a bit.

> There is an somewhat old draft [1] describing the different
> opportunities for key signing in split-view setups (see chapter 4).

Very interesting document, thanks for reference!

> > Pretend I have example.com zone and view "int" and "pub".
> > Must be done the job of sharing KSK and ZSK between views by some custom
> > script?
> Personally, I'm no longer a fan of split-view setups.
> 
> The more general approach is to use different zones for internal (eg.
> "int.example.com") and public ("example.com") usage. With this kind of
> setup it is always obvious with which host you want to communicate
> (www.example.com, or www.int.example.com).
> 
> And if you "really" want to have the "smartness" of using the same name,
> even if you are in the internal or external network, you can setup a
> searchlist in the internal network, but this has it's own security flaws.
> 
> And if we are talking about IPv6: There is no longer a need for private
> address space, and then no need for "private" name space as well.

We talked yesterday with colleague with the very similar result.
Unfortunately our internal zone is very huge thousands of records. :(
This is our history burden. Moving internal records into sub-domain will
be very tedious work and long run.

Thank you very much for thorough analysis and valuable information!
Best Regards
-- 
Zito

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE
http://pubads.g.doubleclick.net/gampad/clk?id=190641631&iu=/4140/ostg.clktrk
_______________________________________________
zkt-users mailing list
zkt-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/zkt-users

Reply via email to