[Opendnssec-user] Zones in different views with the same name
Rick van Rein (OpenFortress)
rick at openfortress.nl
Thu Oct 3 21:06:15 UTC 2013
Hello Jan Hugo,
> There are a few area's where I think that this is important:
Could you add that to the ticket OPENDNSSEC-232 perhaps?
I agree that it is a useful instrument with a wide area of applications. It just hasn't been taken into account when designing the current version of OpenDNSSEC.
>> As was stated, you should run views in separate OpenDNSSEC instances, unfortunately. One note I'd add to that is that you might be best off with a single Enforcer, and multiple signers. That way, you would share the keying material and PKCS #11 infrastructure among zones.
> In big environments this sounds like a hacky setup. Especially if you have to distribute this on multiple servers to be able to run multiple signers.
I was thinking along those lines too; the Enforcer kicks the Signer, and provides .signconf files with paths inserted. I've asked this on the developer's list, because it is getting into the nitty-gritty. The idea of running one Enforcer, SQL, PKCS #11 and multiple Signers is new AFAIK, so it's worth investigating.
Sara is usually keen to hear to hear about (and respond on) this sort of end-user concerns, but she is currently ill. I expect her to respond when she gets better though.
More information about the Opendnssec-user