DNSSEC basic information
John W. Blue
john.blue at rrcic.com
Tue Sep 24 18:05:14 UTC 2019
Anne,
Nothing prevents anyone from using DNSSEC internally but, as I understand it, that was not the intent. Additionally, if there is an obligation to validate zones internal to an organization that in of itself should be a really big red flag something is wrong with trust relationships.
So the nuts and bolts of enabling DNSSEC increases zone data by 30 to 40% not to mention the additional crypto load induced if there are frequent changes. If a split horizon is in use then internal zones typically have more records than external. On a zone that has a handful of records and very low QPS then a signed internal zone a non-issue.
As with everything, when you scale up unintended consequences of choices made tend to kick in.
John
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Anne Bennett
Sent: Tuesday, September 24, 2019 12:46 PM
To: bind-users at isc.org
Subject: Re: DNSSEC basic information
Evan Hunt answers Jukka Pakkanen:
> In newer releases there's also a configuration option,
> "validate-except", which permanently disables validation below
> specified domains. This can be used, for example, if you have an
> internal network using a fake TLD and you want to prevent it from showing up as bogus.
... and in a separate message, John W. Blue wrote:
> 1. DNSSEC was designed for external zones
I have a case where I recently had to use "validate-except" because of a domain (not mine) whose external view is signed but not the internal view; my resolver gets the internal view for that zone.
Can someone enlighten me as to why "DNSSEC was designed for external zones", and under what circumstances it makes sense to *not* sign an internal view? It seems to me that it would be most consistent to sign both external and internal views.
Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca +1 514 848-2424 x2285
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list