Overwrite A record from DNSSEC protected domain if I am the owner of the domain

[Matthias Fechner]

Dear all,

I have a domain fechner.net which is protected using DNSSEC.

The zone is managed on a server located in a data center.

Some A records are pointing to a computer that has a low speed internet 
connection on the WAN site, but very fast connection on the LAN site.

If I know located in this LAN and I resolve the hostname (in this LAN 
also bind9.10 is running), I will get the IP of the WAN connection and 
the traffic is flowing out of the interface where the standard gateway 
is defined, goes to the provider and is coming back over a tunnel using 
the WAN connection. I can explain it more in detail, but the routing 
should not be important for the question I have.

Now I would like to overwrite some of the A records from my zone (I have 
full access to public and private key for DNSSEC).
Some CNAMEs will point to this A record, so I have to change only the IP 
from the A record, all other CNAMEs can be handled by the offical bind 
that it reachable on the internet.

Normally I would use RPZ to handle this, but it seems that this will not 
work if the A record is using DNSSEC (at least the manual says that it 
will not rewrite the A record if DNSSEC is used to protect the A record).

So what I would like to have:
- if I resolve from external it should reolve to the official IP that is 
reachable from the internet
- if I resolve from my local LAN it should return the internal IP like 
192.168.0.1, that is only reachable from the LAN

What is the suggested (best practise) approach to handle such a case 
with bind 9.10?

Thanks a lot.

Gruß
Matthias

-- 

"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook