DNSSEC signing of an internal zone gains nothing (unless??)
Mark Andrews
marka at isc.org
Mon Aug 1 21:46:09 UTC 2022
DNSSEC is designed to be validated in the application. That applies equally to internal zones as it does to external zones. One procedure for them all.
--
Mark Andrews
> On 1 Aug 2022, at 11:15, John W. Blue via bind-users <bind-users at lists.isc.org> wrote:
>
>
> As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of an internal zone.
>
> Granted, it has long been considered unwise by DNS pro’s with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.
>
> While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set. You will only get the AA flag. So there is nothing to be gained from signing an internal zone.
>
> However, I have not tested it yet, I would assume that if a non-authoritative internal server was queried it would be able to walk the chain of trust and return AD.
>
> Thoughts?
>
> John
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220801/ff041466/attachment.htm>
More information about the bind-users
mailing list