[dns-wg] DNSSEC and DHCP

On 23. 05. 23 9:33, Gert Doering wrote:
> Hi,
> 
> On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
>> This however had the side effect that child zones that are not signed were no
>> longer resolving
> 
> ... this statement is not actually correct.  Non-signed child zones are
> perfectly fine *as long* as there are no DS records for those childs in
> the parent.  Think ".de" and all the non-signed "$domain.de" zones...
> 
> [..]
>> Are you signing DHCP zones?
>> Would you recommend (not) doing it?
>> If you are doing it, how are you doing it?
> 
> We're not currently doing it, but that's more a bit of laziness on my
> side - our DHCP setup currently uses ISC DHCP, and the zones are hosted
> on a BIND 9 primary.  DNS is updated from the ISC dhcpd using DNS
> nsupdate to BIND, and from there, BIND could do "normal" inline signing.
> 
> Having DHCP+DNS integrated in dnsmasq makes this more complicated, but
> you could theoretically have "a real DNS" server AXFR the zones from
> dnsmasq, and then sign them there.

I agree. 'Usual' setup is a DHCP which sends DNS updates to a separate 
DNS server and the DNS server takes care of DNSSEC when it receives the 
dynamic update.

Besides other things this allows for redundancy both on DHCP and DNS side.

If you want to migrate to another DHCP server then please skip ISC DHCP 
(that's basically end-of-life) and go straight to Kea (also by ISC) or 
something else.

HTH.

-- 
Petr Špaček
Internet Systems Consortium