dnssec-policy & views

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

dnssec-policy & views

Graham Clinch
How does the new-in-9.16 dnssec-policy interact with views - in
particular for key generation/rollover?

For example, we have a zone defined in multiple views with different
contents (and thus not suitable for in-view), being signed by the same
set of keys (currently maintained by dnssec-keymgr) - this allows us to
publish only a single set of DS records for that zone.

If a zone 'example.net' is defined in view 'a', and a zone 'example.net'
is defined in view 'b', but both views share a single key-directory, is
it 'safe' to configure dnssec-policy in both views?

Graham
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|

Re: dnssec-policy & views

Matthijs Mekking
Hi Graham,

On 2/29/20 5:27 PM, Graham Clinch wrote:

> How does the new-in-9.16 dnssec-policy interact with views - in
> particular for key generation/rollover?
>
> For example, we have a zone defined in multiple views with different
> contents (and thus not suitable for in-view), being signed by the same
> set of keys (currently maintained by dnssec-keymgr) - this allows us to
> publish only a single set of DS records for that zone.
>
> If a zone 'example.net' is defined in view 'a', and a zone 'example.net'
> is defined in view 'b', but both views share a single key-directory, is
> it 'safe' to configure dnssec-policy in both views?
Thanks for sharing your use case. I tried it and it is unsafe to do so
in 9.16.0.

The dnssec-policy does not take into account shared keys. But with views
you sort of implicitly have shared keys because you have multiple
versions of the zone. In the current code there is a race condition on
running key management on the different versions of the zone which may
result in too many keys.

I created an issue for this bug:

    https://gitlab.isc.org/isc-projects/bind9/issues/1653

And I have a proposed fix for it. It may make the 9.16.1 release,
otherwise 9.16.2. With this fix you should be able to safely configure
dnssec-policy for a zone in multiple views, sharing the same set of keys.

Best regards,

Matthijs


>
> Graham
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> [hidden email]
> https://lists.isc.org/mailman/listinfo/bind-users


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users

signature.asc (499 bytes) Download Attachment