DNSSEC signing of an internal zone gains nothing (unless??)
Peter
pmc at citylink.dinoex.sub.org
Wed Aug 3 10:42:09 UTC 2022
On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote:
! On 02-Aug-22 13:18, Peter wrote:
! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
! > !
! > ! On 02-Aug-22 11:09,bind-users-request at lists.isc.org wrote:
! > !
! > ! > | Before your authoritative view, define a recursive view with the internal
! > ! > ! zones defined as static-stub, match-recursive-only "yes", and a
! > ! > ! server-address of localhost.
! > ! >
! > ! > Uh? Why before?
! > !
! > ! Because each request attempts to match the views in order. You want the
! > ! stub view to match recursive requests. The non-RD requests will fall thru
! > ! to the internal zone and get the authoritative data.
! >
! > Ahh, I see. But this does not work so well for me, because I have the
! > public authoritative server also in the same process. And from the
! > Internet will come requests with RD flag set, and these must get a
! > REFUSED ("recursion desired but not available").
! >
! > So I considered it too dangerous to select views depending on the RD
! > flag being present or not, and resolve this with a slightly different
! > ordering of the views.
! >
! > -- PMc
!
! Order matters, and changing it will change behaviors.
That is obvious.
! The server doesn't select ONLY on the RD flag. It also selects on IP address
!and/or TSIG keys. The RD flag is only used to select between the recursive and
!authoritative view pairs for MATCHING CLIENTS.
Fine.
! So you should order the views as I showed.
That's not going to work with me. I posted the description of
my approach, so either you provide evidence of why my logic is
flawed, or You stop telling me that I should obey You.
I devised my logic, and it is well possible that it is flawed,
but if so, then I want to understand the exact flaw, and learn
and improve.
! The public clients will fail the "match-clients" clause of the internal views
!regardless of the RD because of their IP addresses. They will fall thru to the
!r-external view. That will also fail unless they are listed clients. So
!again, they fall thru to the external view. That has recursion no - which
!means that RD will return REFUSED.
Fine. Same here.
! The only danger comes from failing to properly setup the client matching ACLs,
!or from making changes to the logic without understanding how it works.
Mistakes can happen, e.g. when in a hurry.
! Instead of guessing, use what I provided and test it. It works. It
has worked for many years. Once you have tested it and completely
understand it, THEN make changes. Carefully. And test them.
Well, I already have something that was tested and does appear to
work and does suit my needs. Without evidence of a flaw I won't start
doing that again.
-- PMc
More information about the bind-users
mailing list