DNSSEC signing of an internal zone gains nothing (unless??)
John W. Blue
john.blue at rrcic.com
Mon Aug 1 16:39:38 UTC 2022
And that is my point .. show me your +dnssec dig against an internal authoritative server that has AD set.
John
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Grant Taylor via bind-users
Sent: Monday, August 1, 2022 11:29 AM
To: bind-users at lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the
> AD flag will not be set. You will only get the AA flag. So there is
> nothing to be gained from signing an internal zone.
I feel like that's an unacceptably big if. It also precludes clients from doing client side DNSSEC validation.
Finally, why hold internal systems to a lower security standard than external systems?
--
Grant. . . .
unix || die
More information about the bind-users
mailing list