[Opendnssec-user] Zones in different views with the same name
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Oct 3 09:26:08 UTC 2013
On 03.10.2013 10:25, Havard Eidnes wrote:
>> For some zones I have multiple views with different content.
>>
>> How can I configure this in OpenDNSSec in combination with SoftHSM?
>
> My opinion: I think you are stretching the DNS model too far by
> trying to do this.
>
> But ... if you really want the associated pain, I suspect you
> will have to operate with two different OpenDNSSEC instances, one
> signing the public version, one signing the "other (internal?)
> view".
>
> You do of course need to ensure that any validating resolvers are
> not exposed to a mixed world view, picking up data from both of
> the two distinct views.
I think it also would make sense to use the same keys on both ODS
instances to have a common trust anchor in the parent zone (eg. ODS1
creates keys in SoftHSM, runs the ods-enforcer, and runs the ods-signer.
Sync the SoftHSM and the KASP DB to ODS2 and on ODS2 only run the
ods-signer. I think this should work), or put the fingerprint of both
KSKs into the parent zone.
regards
Klaus
More information about the Opendnssec-user
mailing list