DNSSEC signing of an internal zone gains nothing (unless??)
Peter
pmc at citylink.dinoex.sub.org
Tue Aug 2 13:28:07 UTC 2022
On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote:
! You can get the AD flag set, with a bit of extra work. I've done this for
! years.
Thanks for Your message, Timothe.
After investigating the matter, I had figured out a similar approach -
but didn't know if this is a recommended or commonly used way. There
is only a paper somewhere in the depths of ISC describing how to do
that for a root-slave. Anyway, it appears to work.
I finally created 6-way servers by using some extra addresses on lo0
(auth+recursing for root+intranet+public) and then found the result
suitable structured and maintainable.
! Before your authoritative view, define a recursive view with the internal
! zones defined as static-stub, match-recursive-only "yes", and a
! server-address of localhost.
Uh? Why before?
My approach so far:
view "rootslave" {
match-clients { fdff::1; };
allow-query-cache { none; };
allow-recursion { none; };
recursion no;
<root-zones go here>
};
view "intraslave" {
match-clients { fdff::2; key "slave1"; };
allow-query-cache { none; };
allow-recursion { none; };
recursion no;
<intranet zones go here>
};
view "extraslave" {
match-clients { key "slave1extra"; };
allow-query-cache { none; };
allow-recursion { none; };
recursion no;
<public zones go here>
};
view "guest" { // public WLAN etc.
match-clients { ... };
<root-zones as 'static-stub' from fdff::1>
// not yet deployed, needs clarification
};
view "desktop" { // user devices
match-clients { ... };
<root-zones 'in-view "guest"'>
<intranet zones as 'static-stub' from fdff::2>
<adblocker etc.>
};
view "intra" {
match-clients { <all intranet> };
<root-zones 'in-view "guest"'>
<intranet zones 'in-view "desktop"'>
};
view "public" { // external sites allowed to use recursing
match-clients { ... } ;
// not yet deployed, needs evaluation
};
view "external" { // fall-through
match-clients { any; } ;
allow-query-cache { none; };
allow-recursion { none; };
recursion no;
zone "." { // is this necessary? (something didn't work without)
type hint;
file "/usr/local/etc/namedb/named.root";
};
<public zones 'in-view "extraslave"'>
};
Sure this could also be done by running 2 or 3 instances, and probably
more safe - but where would be the fun then?
-- PMc
More information about the bind-users
mailing list