Overwrite A record from DNSSEC protected domain if I am the owner of the domain
Mathew Ian Eis
Mathew.Eis at nau.edu
Thu Apr 27 00:57:00 UTC 2017
What you are describing more generally sounds like what is known as split-view or split-horizon DNS. In short, you split all (or part by virtue of delegation or forwarders) of your namespace into “internal” and “external” partitions; this is documented in the context of BIND here: https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html#split_dns
Best practices for DNSSEC under split-view vary, but several approaches along with their strengths and weakness are documented in this RFC draft:
https://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04
We have been using 4.1.2 in production for the last year or so… it works very well, but as the draft suggests there is a high overhead in the management of the keys, zones, and views, especially if you have a large namespace.
4.1.5 may be an easier option if you are a small shop and trust your internal networks.
Cheers,
Mathew Eis
Northern Arizona University
Information Technology Services
-----Original Message-----
From: bind-users <bind-users-bounces at lists.isc.org> on behalf of Matthias Fechner <idefix at fechner.net>
Date: Wednesday, April 26, 2017 at 9:36 AM
To: "bind-users at lists.isc.org" <bind-users at lists.isc.org>
Subject: Overwrite A record from DNSSEC protected domain if I am the owner of the domain
Dear all,
I have a domain fechner.net which is protected using DNSSEC.
The zone is managed on a server located in a data center.
Some A records are pointing to a computer that has a low speed internet
connection on the WAN site, but very fast connection on the LAN site.
If I know located in this LAN and I resolve the hostname (in this LAN
also bind9.10 is running), I will get the IP of the WAN connection and
the traffic is flowing out of the interface where the standard gateway
is defined, goes to the provider and is coming back over a tunnel using
the WAN connection. I can explain it more in detail, but the routing
should not be important for the question I have.
Now I would like to overwrite some of the A records from my zone (I have
full access to public and private key for DNSSEC).
Some CNAMEs will point to this A record, so I have to change only the IP
from the A record, all other CNAMEs can be handled by the offical bind
that it reachable on the internet.
Normally I would use RPZ to handle this, but it seems that this will not
work if the A record is using DNSSEC (at least the manual says that it
will not rewrite the A record if DNSSEC is used to protect the A record).
So what I would like to have:
- if I resolve from external it should reolve to the official IP that is
reachable from the internet
- if I resolve from my local LAN it should return the internal IP like
192.168.0.1, that is only reachable from the LAN
What is the suggested (best practise) approach to handle such a case
with bind 9.10?
Thanks a lot.
Gruß
Matthias
--
"Programming today is a race between software engineers striving to
build bigger and better idiot-proof programs, and the universe trying to
produce bigger and better idiots. So far, the universe is winning." --
Rich Cook
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list