Fwd: [Opendnssec-user] Zones in different views with the same name
Jan Hugo Prins
jhp at jhprins.org
Thu Oct 3 20:54:22 UTC 2013
On 10/03/2013 02:19 PM, Rick van Rein (OpenFortress) wrote:
> Hi Jan Hugo,
>> I'm currently looking into opendnssec to manage all DNS zones that I have.
>> For some zones I have multiple views with different content.
> This has been discussed in the developers' team also. It is not possible to do this with current OpenDNSSEC releases, but it may be later on.
Are there other DNSSec solutions that can do it?
> For the direction of solution considered, please see https://issues.opendnssec.org/browse/OPENDNSSEC-232 for details. It cuts through all of the system, and is therefore considered a difficult operation, even if it is conceptually straightforward.
My first look at it going through that document is that it is indeed not
really straight forward. But then again, I have just started looking at
the software from a SysAdmin point of view and I'm not a developer. On a
higher level the splitting a zone into multiple views in the
configuration the way it is described sounds like a very straightforward
and logic solution.
> AFAIK it is not on the road map though. Perhaps you can explain why this is crucial to you? It might help if you have an unforeseen application that convinces.
There are a few area's where I think that this is important:
- Geolocation. Basicly different views for different area's in the
world. You want them all signed and preferably with the same keyset.
- Internal and external views for ISP environments. We have a strict
seperation between authorative and recursive nameservers. To make sure
that internal requests are directed towards the correct view on the
authorative nameservers, the view for the internal part of the zone is
only served to the internal recursive nameservers. But you want it all
signed with the same keyset because people using laptops or
company-servers outside of the internal network could potentially hit
both views in some situations.
- When you tell your recursive nameserver that it has to check DNSSEC
and it tries to resolve your internal view, but because it is a
recursive nameserver it does that doing the normal walkdown from the
root, it will hit the DS records in the parent zone and will then
invalidate your whole internal view if it is not signed or signed with
the wrong keyset.
> As was stated, you should run views in separate OpenDNSSEC instances, unfortunately. One note I'd add to that is that you might be best off with a single Enforcer, and multiple signers. That way, you would share the keying material and PKCS #11 infrastructure among zones.
In big environments this sounds like a hacky setup. Especially if you
have to distribute this on multiple servers to be able to run multiple
signers. If you can run multiple signers on one server and you can
create some directory tree to house all signer sets etc. This could
work, but it will depend a lot on the way the communication is setup
between the signers and the enforcer. If this is done through semaphore
files or direct pipes between the applications then this will fail and
might need modifications in the software or hacky scripts around it to
make it work.
More information about the Opendnssec-user