DNSSEC and split DNS
Mark Andrews
marka at isc.org
Wed Oct 23 23:28:57 UTC 2013
You sign all versions of the zone.
As for key management you can:
* use the same keys in all views which makes mobile device
management simpler as there is no need to distribute keys.
Validating from the root will work in all cases though
there is still something to be said for distributing keys
for local zones locally as this prevents resolution
failures when the site is disconnected from the rest of
the world.
* different keys per view. You will need to distribute the
keys and for mobile devices they will need all sets of
keys as they see both the internal and external views
depending apon where they attach to the network and whether
there is a VPN active. For fixed devices different keys
will cause data leakage to be rejected as the leaked data
won't validate.
You can change strategy if you pick the wrong one.
Mark
In message <526857A2.8050405 at networktest.com>, David Newman writes:
> What is the recommended practice for adding DNSSEC to an environment
> that currently uses split DNS?
>
> Apologies as I'm sure this has come up before, but most discussion I
> found on bind-users was from 1999, and this isn't covered in the ARM.
>
> I did find this draft (not RFC) from 2007, but even the author
> acknowledges that some examples given can invite misconfiguration:
>
> http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04
>
> On the surface, split DNS and DNSSEC have seemingly opposite goals: One
> seeks to provide different responses to queries for the same resource,
> and the other seeks to prevent it.
>
> Is there some way of reconciling these?
>
> Thanks
>
> dn
>
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list