[dns-wg] DNSSEC and DHCP

Hi,

On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
> This however had the side effect that child zones that are not signed were no 
> longer resolving 

... this statement is not actually correct.  Non-signed child zones are
perfectly fine *as long* as there are no DS records for those childs in
the parent.  Think ".de" and all the non-signed "$domain.de" zones...

[..]
> Are you signing DHCP zones?
> Would you recommend (not) doing it?
> If you are doing it, how are you doing it?

We're not currently doing it, but that's more a bit of laziness on my
side - our DHCP setup currently uses ISC DHCP, and the zones are hosted
on a BIND 9 primary.  DNS is updated from the ISC dhcpd using DNS 
nsupdate to BIND, and from there, BIND could do "normal" inline signing.

Having DHCP+DNS integrated in dnsmasq makes this more complicated, but
you could theoretically have "a real DNS" server AXFR the zones from
dnsmasq, and then sign them there.

Gert Doering
        -- NetMaster
-- 
have you enabled IPv6 on something today...?

SpaceNet AG                      Vorstand: Sebastian v. Bomhard, Michael Emmer
Joseph-Dollinger-Bogen 14        Aufsichtsratsvors.: A. Grundner-Culemann
D-80807 Muenchen                 HRB: 136055 (AG Muenchen)
Tel: +49 (0)89/32356-444         USt-IdNr.: DE813185279
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: </ripe/mail/archives/dns-wg/attachments/20230523/872c3e48/attachment-0001.sig>