[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Tue May 23 09:33:33 CEST 2023
Hi, On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote: > This however had the side effect that child zones that are not signed were no > longer resolving ... this statement is not actually correct. Non-signed child zones are perfectly fine *as long* as there are no DS records for those childs in the parent. Think ".de" and all the non-signed "$domain.de" zones... [..] > Are you signing DHCP zones? > Would you recommend (not) doing it? > If you are doing it, how are you doing it? We're not currently doing it, but that's more a bit of laziness on my side - our DHCP setup currently uses ISC DHCP, and the zones are hosted on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS nsupdate to BIND, and from there, BIND could do "normal" inline signing. Having DHCP+DNS integrated in dnsmasq makes this more complicated, but you could theoretically have "a real DNS" server AXFR the zones from dnsmasq, and then sign them there. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: <https://lists.ripe.net/ripe/mail/archives/dns-wg/attachments/20230523/872c3e48/attachment-0001.sig>
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]