On Sat, Jan 17, 2015 at 09:11:19AM -0500, John wrote:
Using a single source file may work, but the DNSKEY, RRSIG and NSEC3 records have to be external to that file (as with auto-maintain in BIND) and merged in as part of building the signed zones.
They already are, as I am using maintain and inline signing.
In that case, with care, you should be able to get away with a single source file for multiple domains.
BIND 9.10.1 or 9.9.6 or later should be able to do this, and avoid aliases if all three zones are intended to look identical, but this requires some careful analysis to make sure you never need any non-DNSSEC differences of any kind.
[ I meant "avoid the need for aliases", rather than "avoid aliases". Aliases are fine. ]
The only down side that I see is that the aliases will not themselves be using DNSSEC. I am not sure this matters as "real" services will.
I don't see why this follows. A CNAME from a signed into another signed zone "uses DNSSEC".