This archive is retained to ensure existing URLs remain functional. It will not contain any emails sent to this mailing list after July 1, 2024. For all messages, including those sent before and after this date, please visit the new location of the archive at https://mailman.ripe.net/archives/list/dns-wg@ripe.net/
[dns-wg] DNSSEC and DHCP
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] OARC 41 - Call for Contribution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Petr Špaček
pspacek at isc.org
Tue May 23 11:36:07 CEST 2023
On 23. 05. 23 9:33, Gert Doering wrote: > Hi, > > On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote: >> This however had the side effect that child zones that are not signed were no >> longer resolving > > ... this statement is not actually correct. Non-signed child zones are > perfectly fine *as long* as there are no DS records for those childs in > the parent. Think ".de" and all the non-signed "$domain.de" zones... > > [..] >> Are you signing DHCP zones? >> Would you recommend (not) doing it? >> If you are doing it, how are you doing it? > > We're not currently doing it, but that's more a bit of laziness on my > side - our DHCP setup currently uses ISC DHCP, and the zones are hosted > on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS > nsupdate to BIND, and from there, BIND could do "normal" inline signing. > > Having DHCP+DNS integrated in dnsmasq makes this more complicated, but > you could theoretically have "a real DNS" server AXFR the zones from > dnsmasq, and then sign them there. I agree. 'Usual' setup is a DHCP which sends DNS updates to a separate DNS server and the DNS server takes care of DNSSEC when it receives the dynamic update. Besides other things this allows for redundancy both on DHCP and DNS side. If you want to migrate to another DHCP server then please skip ISC DHCP (that's basically end-of-life) and go straight to Kea (also by ISC) or something else. HTH. -- Petr Špaček Internet Systems Consortium
- Previous message (by thread): [dns-wg] DNSSEC and DHCP
- Next message (by thread): [dns-wg] OARC 41 - Call for Contribution
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
[ dns-wg Archives ]