DNSSEC basic information

John W. Blue john.blue at rrcic.com
Tue Sep 24 18:05:14 UTC 2019 

Anne,

Nothing prevents anyone from using DNSSEC internally but, as I understand it, that was not the intent.  Additionally, if there is an obligation to validate zones internal to an organization that in of itself should be a really big red flag something is wrong with trust relationships.

So the nuts and bolts of enabling DNSSEC increases zone data by 30 to 40% not to mention the additional crypto load induced if there are frequent changes.  If a split horizon is in use then internal zones typically have more records than external.  On a zone that has a handful of records and very low QPS then a signed internal zone a non-issue.

As with everything, when you scale up unintended consequences of choices made tend to kick in.

John

-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Anne Bennett
Sent: Tuesday, September 24, 2019 12:46 PM
To: bind-users at isc.org
Subject: Re: DNSSEC basic information


Evan Hunt answers Jukka Pakkanen:

> In newer releases there's also a configuration option, 
> "validate-except", which permanently disables validation below 
> specified domains. This can be used, for example, if you have an 
> internal network using a fake TLD and you want to prevent it from showing up as bogus.

... and in a separate message, John W. Blue wrote:

> 1. DNSSEC was designed for external zones


I have a case where I recently had to use "validate-except" because of a domain (not mine) whose external view is signed but not the internal view; my resolver gets the internal view for that zone.

Can someone enlighten me as to why "DNSSEC was designed for external zones", and under what circumstances it makes sense to *not* sign an internal view?  It seems to me that it would be most consistent to sign both external and internal views.



Anne.
--
Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8
anne at encs.concordia.ca                                    +1 514 848-2424 x2285
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

More information about the bind-users mailing list