On 17/04/23 09:08, Andrej Podzimek via bind-users wrote:
The easiest (?) way to make DNSSEC work in all views has been to keep
a dnssec-policy for zones in *one* of the views (to generate and
maintain keys) and then passively refer to the keys from the zones’
counterparts in other views using auto-dnssec. \o/
Hi Andrej.
I think you might be over-complicating this? I use multiple views that
define the same DNSSEC-signed zone, and I refer to the same
dnssec-policy (i.e. the 'real' policy that does the rollovers) in each
one. Admittedly I've only recently enabled automated ZSK roll-overs, but
my understanding (based on others asking questions about this) is that
recent versions of BIND are clever enough to recognise that the same
keys apply to both versions of the zone, so it doesn't trip over itself
when rolling keys.
See: https://www.mail-archive.com/bind-users@lists.isc.org/msg28526.html
Just make sure you aren't using an ancient version of BIND! :-)
Nick.
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
