DNSSEC and forward zones
Scott Morizot
tmorizot at sd.is.irs.gov
Tue Nov 1 20:28:54 UTC 2011
On 1 Nov 2011 at 20:02, Phil Mayers wrote:
> On 11/01/2011 06:34 PM, Scott Morizot wrote:
>
> > Alternatively, you can sign 'policydomain.internal' and configure its key
> > as one of the trust anchors on the validating name servers. The order of
> > validation is, if I recall correctly, locally configured trust anchors,
> > then chain of trust from root, and finally DLVs. So doing that should
> > provide a successful validation for the domain.
>
> So presumably you could also follow Lyle's suggestion - have a local
> "private" zone, signed, with a local trust anchor and an *in*secure
> delegation to "policydomain.internal"?
Depends on what you have in place. The above would work, but if all you
have that you're trying to forward to is policydomain.internal, just sign
policydomain.internal and configure that key in your trust anchors. As I
said, I believe local trust anchors are always checked before chain of
trust is checked.
Scott
Scott Morizot
"In software development, optimism is a disease;
feedback is the cure." -- Kent Beck
More information about the bind-users
mailing list