This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] Proposed Service Criticality Forms
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Julian Fölsch
julian.foelsch at agdsn.de
Mon May 22 21:18:11 CEST 2023
Hi, First of all: If you think, I should discuss this somewhere else, please tell me. :) During my quest to get my SSH client to use SSHFP records and not annoy me with trust questions anymore, I fell into the rabbit hole that is DNSSEC. Our domain already uses DNSSEC, so I only had to set up the resolver in our office and my PC to verify it. This however had the side effect that child zones that are not signed were no longer resolving so I thought "Lets just sign them. Can't be that hard, right?" I was very wrong. One of the child zones is for hosts using DHCP and is managed by dnsmasq that unfortunately can't sign the zone. But it can do zone transfers. So we tried a setup using opendnssec as a signing proxy that transfers the zone to an unbound. Unfortunately this has proven unreliable at best and broken at worst so I am looking to replace that. I was just looking around for a DHCP server that directly can sign the zone but I was unable to find something so far. So I was wondering how other people are doing this. Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it? Kind regards, Julian PS: If you are at RIPE86 I also would be happy to discuss this in person :) -- Julian Fölsch Arbeitsgemeinschaft Dresdner Studentennetz (AG DSN) Teamsprecher Computing Tel.: +49 351 271816 69 E-Mail: julian.foelsch at agdsn.de StuRa der TU Dresden Helmholtzstr. 10 01069 Dresden -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: This is a digitally signed message part. URL: </ripe/mail/archives/dns-wg/attachments/20230522/15b09645/attachment.sig>
- Previous message (by thread): [dns-wg] Proposed Service Criticality Forms
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]