This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Gert Doering
gert at space.net
Tue May 23 09:33:33 CEST 2023
Hi, On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote: > This however had the side effect that child zones that are not signed were no > longer resolving ... this statement is not actually correct. Non-signed child zones are perfectly fine *as long* as there are no DS records for those childs in the parent. Think ".de" and all the non-signed "$domain.de" zones... [..] > Are you signing DHCP zones? > Would you recommend (not) doing it? > If you are doing it, how are you doing it? We're not currently doing it, but that's more a bit of laziness on my side - our DHCP setup currently uses ISC DHCP, and the zones are hosted on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS nsupdate to BIND, and from there, BIND could do "normal" inline signing. Having DHCP+DNS integrated in dnsmasq makes this more complicated, but you could theoretically have "a real DNS" server AXFR the zones from dnsmasq, and then sign them there. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: not available URL: </ripe/mail/archives/dns-wg/attachments/20230523/872c3e48/attachment-0001.sig>
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] DNSSEC and DHCP
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]