[dns-wg] DNSSEC and DHCP

Op ma 22 mei , Julian Fölsch <[julian.foelsch at agdsn.de](mailto:Op ma 22 mei  , Julian Fölsch <<a href=)> schreef:

> This however had the side effect that child zones that are not signed were no
> longer resolving so I thought "Lets just sign them. Can't be that hard,
> right?"

Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong?

> I was very wrong.
> One of the child zones is for hosts using DHCP and is managed by dnsmasq that
> unfortunately can't sign the zone.
> But it can do zone transfers.
> So we tried a setup using opendnssec as a signing proxy that transfers the
> zone to an unbound.
> Unfortunately this has proven unreliable at best and broken at worst so I am
> looking to replace that.

There are a variety of other DNSSEC signers that can act as "bump in the wire" signers (where the "wire" is [AI]XFR). There are people who actually write that kind of software on this list and my hands-on with this stuff is a bit long in the tooth, so I won't try to speak for any of them.

> I was just looking around for a DHCP server that directly can sign the zone
> but I was unable to find something so far.
> So I was wondering how other people are doing this.
>
> Are you signing DHCP zones?
> Would you recommend (not) doing it?
> If you are doing it, how are you doing it?

It used to be quite common to glue DHCP servers to the DNS using dynamic updates, so that a DHCP server sends a DNS UPDATE when it wants to add or drop a binding to an address. If the DNS server handling the DNS UPDATE requests can also act as a DNSSEC signer, that might work for you. I have set up BIND9 like that before and it was fairly painless.

Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </ripe/mail/archives/dns-wg/attachments/20230522/01dafb64/attachment.html>