dnssec-policy default;
Slightly off-topic, but I believe ISC reccomend using a custom policy instead
of `default' in case the default changes in future.
view "internal" {
zone "penguinpee.nl" {
type primary;
file "dynamic/penguinpee.nl.internal.zone";
};
};
view "external" {
zone "penguinpee.nl" {
type primary;
file "master/penguinpee.nl.zone";
};
};
Using delv, the internal view of the zone fully validated, for SOA, A,
AAAA etc.
That surprises me a bit; I've always maintained BIND will not validate a
DNSSEC-signed zone it is authoritative for. Unless you mean RRSIGs were
still valid.
I thought that with 'dnssec-policy default' BIND would take care of
it. Upon updating the zone, increase the serial number and tell named
with 'rndc reload zone'. What am I missing?
BIND should be signing the zone(s) with dnssec-policy, yes, and the
dynamically-updateable zone will be signed on update and SOA serial
increased automatically.
I wonder whether it's getting confused (can software get confused? I suppose
so) with the two identically-named zones. If this were my installation and
I had to use views, I'd try specifying distinct policies for the zones
to see if that makes a difference.
-JP
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
