[Opendnssec-user] Zones in different views with the same name

Klaus Darilion klaus.mailinglists at pernau.at
Thu Oct 3 09:26:08 UTC 2013

On 03.10.2013 10:25, Havard Eidnes wrote:
>> For some zones I have multiple views with different content.
>> How can I configure this in OpenDNSSec in combination with SoftHSM?
> My opinion: I think you are stretching the DNS model too far by
> trying to do this.
> But ... if you really want the associated pain, I suspect you
> will have to operate with two different OpenDNSSEC instances, one
> signing the public version, one signing the "other (internal?)
> view".
> You do of course need to ensure that any validating resolvers are
> not exposed to a mixed world view, picking up data from both of
> the two distinct views.

I think it also would make sense to use the same keys on both ODS 
instances to have a common trust anchor in the parent zone (eg. ODS1 
creates keys in SoftHSM, runs the ods-enforcer, and runs the ods-signer. 
Sync the SoftHSM and the KASP DB to ODS2 and on ODS2 only run the 
ods-signer. I think this should work), or put the fingerprint of both 
KSKs into the parent zone.


More information about the Opendnssec-user mailing list