Fwd: [Opendnssec-user] Zones in different views with the same name

[Jan Hugo Prins]

On 10/03/2013 02:19 PM, Rick van Rein (OpenFortress) wrote:
> Hi Jan Hugo,
>
>> I'm currently looking into opendnssec to manage all DNS zones that I have.
>> For some zones I have multiple views with different content.
> This has been discussed in the developers' team also.  It is not possible to do this with current OpenDNSSEC releases, but it may be later on.

:-(
Are there other DNSSec solutions that can do it?

> For the direction of solution considered, please see https://issues.opendnssec.org/browse/OPENDNSSEC-232 for details.  It cuts through all of the system, and is therefore considered a difficult operation, even if it is conceptually straightforward.
My first look at it going through that document is that it is indeed not 
really straight forward. But then again, I have just started looking at 
the software from a SysAdmin point of view and I'm not a developer. On a 
higher level the splitting a zone into multiple views in the 
configuration the way it is described sounds like a very straightforward 
and logic solution.


>
> AFAIK it is not on the road map though.  Perhaps you can explain why this is crucial to you?  It might help if you have an unforeseen application that convinces.
There are a few area's where I think that this is important:

- Geolocation. Basicly different views for different area's in the 
world. You want them all signed and preferably with the same keyset.
- Internal and external views for ISP environments. We have a strict 
seperation between authorative and recursive nameservers. To make sure 
that internal requests are directed towards the correct view on the 
authorative nameservers, the view for the internal part of the zone is 
only served to the internal recursive nameservers. But you want it all 
signed with the same keyset because people using laptops or 
company-servers outside of the internal network could potentially hit 
both views in some situations.
- When you tell your recursive nameserver that it has to check DNSSEC 
and it tries to resolve your internal view, but because it is a 
recursive nameserver it does that doing the normal walkdown from the 
root, it will hit the DS records in the parent zone and will then 
invalidate your whole internal view if it is not signed or signed with 
the wrong keyset.

> As was stated, you should run views in separate OpenDNSSEC instances, unfortunately.  One note I'd add to that is that you might be best off with a single Enforcer, and multiple signers.  That way, you would share the keying material and PKCS #11 infrastructure among zones.
In big environments this sounds like a hacky setup. Especially if you 
have to distribute this on multiple servers to be able to run multiple 
signers. If you can run multiple signers on one server and you can 
create some directory tree to house all signer sets etc. This could 
work, but it will depend a lot on the way the communication is setup 
between the signers and the enforcer. If this is done through semaphore 
files or direct pipes between the applications then this will fail and 
might need modifications in the software or hacky scripts around it to 
make it work.

Jan Hugo