This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/[email protected]/
[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Joe Abley
jabley at strandkip.nl
Mon May 22 22:12:41 CEST 2023
Op ma 22 mei , Julian Fölsch <[julian.foelsch at agdsn.de](mailto:Op ma 22 mei , Julian Fölsch <<a href=)> schreef: > This however had the side effect that child zones that are not signed were no > longer resolving so I thought "Lets just sign them. Can't be that hard, > right?" Verifiably-insecure delegations (a zone cut with no DS records on the parent side) should not be a problem to resolve through a validating resolver. You shouldn't have to sign your child zones to make them work. It seems possible that something else was wrong? > I was very wrong. > One of the child zones is for hosts using DHCP and is managed by dnsmasq that > unfortunately can't sign the zone. > But it can do zone transfers. > So we tried a setup using opendnssec as a signing proxy that transfers the > zone to an unbound. > Unfortunately this has proven unreliable at best and broken at worst so I am > looking to replace that. There are a variety of other DNSSEC signers that can act as "bump in the wire" signers (where the "wire" is [AI]XFR). There are people who actually write that kind of software on this list and my hands-on with this stuff is a bit long in the tooth, so I won't try to speak for any of them. > I was just looking around for a DHCP server that directly can sign the zone > but I was unable to find something so far. > So I was wondering how other people are doing this. > > Are you signing DHCP zones? > Would you recommend (not) doing it? > If you are doing it, how are you doing it? It used to be quite common to glue DHCP servers to the DNS using dynamic updates, so that a DHCP server sends a DNS UPDATE when it wants to add or drop a binding to an address. If the DNS server handling the DNS UPDATE requests can also act as a DNSSEC signer, that might work for you. I have set up BIND9 like that before and it was fairly painless. Joe -------------- next part -------------- An HTML attachment was scrubbed... URL: </ripe/mail/archives/dns-wg/attachments/20230522/01dafb64/attachment.html>
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]