[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joe Abley
jabley at strandkip.nl
Mon May 22 22:12:41 CEST 2023
Op ma 22 mei , Julian Fölsch <[julian.foelsch at agdsn.de](mailto:Op ma 22 mei , Julian Fölsch <<a href=)> schreef: > This however had the side effect that child zones that are not signed were no > longer resolving so I thought "Lets just sign them. Can't be that hard, > right?" Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong? > I was very wrong. > One of the child zones is for hosts using DHCP and is managed by dnsmasq that > unfortunately can't sign the zone. > But it can do zone transfers. > So we tried a setup using opendnssec as a signing proxy that transfers the > zone to an unbound. > Unfortunately this has proven unreliable at best and broken at worst so I am > looking to replace that. There are a variety of other DNSSEC signers that can act as "bump in the wire" signers (where the "wire" is [AI]XFR). There are people who actually write that kind of software on this list and my hands-on with this stuff is a bit long in the tooth, so I won't try to speak for any of them. > I was just looking around for a DHCP server that directly can sign the zone > but I was unable to find something so far. > So I was wondering how other people are doing this. > > Are you signing DHCP zones? > Would you recommend (not) doing it? > If you are doing it, how are you doing it? It used to be quite common to glue DHCP servers to the DNS using dynamic updates, so that a DHCP server sends a DNS UPDATE when it wants to add or drop a binding to an address. If the DNS server handling the DNS UPDATE requests can also act as a DNSSEC signer, that might work for you. I have set up BIND9 like that before and it was fairly painless. Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20230522/01dafb64/attachment.html>
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]