[Opendnssec-user] Zones in different views with the same name

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Oct 3 21:06:15 UTC 2013

Hello Jan Hugo,

> There are a few area's where I think that this is important:

Could you add that to the ticket OPENDNSSEC-232 perhaps?


I agree that it is a useful instrument with a wide area of applications.  It just hasn't been taken into account when designing the current version of OpenDNSSEC.

>> As was stated, you should run views in separate OpenDNSSEC instances, unfortunately.  One note I'd add to that is that you might be best off with a single Enforcer, and multiple signers.  That way, you would share the keying material and PKCS #11 infrastructure among zones.
> In big environments this sounds like a hacky setup. Especially if you have to distribute this on multiple servers to be able to run multiple signers.

I was thinking along those lines too; the Enforcer kicks the Signer, and provides .signconf files with paths inserted.  I've asked this on the developer's list, because it is getting into the nitty-gritty.  The idea of running one Enforcer, SQL, PKCS #11 and multiple Signers is new AFAIK, so it's worth investigating.

Sara is usually keen to hear to hear about (and respond on) this sort of end-user concerns, but she is currently ill.  I expect her to respond when she gets better though.


More information about the Opendnssec-user mailing list