private trust anchor
Evan Hunt
each at isc.org
Sun Feb 10 23:26:27 UTC 2013
On Sun, Feb 10, 2013 at 05:57:42PM -0500, Michael W. Lucas wrote:
> Is there a way to set up a private trust anchor for internal-only
> zones with BIND 9.9?
>
> I have some local and RFC1918 zones that I'd like to secure. It seems
> I should be able to configure a private trust anchor and use that key
> to sign these zones.
>
> I've found, related docs, like draft-jabley-dnssec-trust-anchor-06,
> which has great gobs of theory, but nothing on how to actually do this
> with BIND.
>
> Has anyone done this? Or is this just daft?
In my experience the two aren't mutually exclusive, but yes, it does work.
Create keys for your local zones, sign them, and put the KSKs into the
resolver's named.conf in a "trusted-keys" statement. Then configure the
zones as "type forward", with "forwarders" pointing to the authoritative
server(s) for your zones. The resolver will then forward queries for those
names to the authoritative servers, and validate the responses.
(If those weren't enough bread crumbs to show you the way, I can expand
on this.)
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list