Hi, On Mon, May 22, 2023 at 09:18:11PM +0200, Julian Fölsch wrote:
This however had the side effect that child zones that are not signed were no longer resolving
... this statement is not actually correct. Non-signed child zones are perfectly fine *as long* as there are no DS records for those childs in the parent. Think ".de" and all the non-signed "$domain.de" zones... [..]
Are you signing DHCP zones? Would you recommend (not) doing it? If you are doing it, how are you doing it?
We're not currently doing it, but that's more a bit of laziness on my side - our DHCP setup currently uses ISC DHCP, and the zones are hosted on a BIND 9 primary. DNS is updated from the ISC dhcpd using DNS nsupdate to BIND, and from there, BIND could do "normal" inline signing. Having DHCP+DNS integrated in dnsmasq makes this more complicated, but you could theoretically have "a real DNS" server AXFR the zones from dnsmasq, and then sign them there. Gert Doering -- NetMaster -- have you enabled IPv6 on something today...? SpaceNet AG Vorstand: Sebastian v. Bomhard, Michael Emmer Joseph-Dollinger-Bogen 14 Aufsichtsratsvors.: A. Grundner-Culemann D-80807 Muenchen HRB: 136055 (AG Muenchen) Tel: +49 (0)89/32356-444 USt-IdNr.: DE813185279