DNSSEC basic information
John W. Blue
john.blue at rrcic.com
Tue Sep 24 19:52:32 UTC 2019
Tony,
Thanks for the observations!
My comments about intent and zone data size is based upon information that was presented at Infoblox training classes I have attended. I would assume that Infoblox being Infoblox would be (mostly) accurate when it comes to developing a slide deck. However, context is everything.
.local et al TLD's have forever been a burr under my saddle and I know that many on this list will see no objection to the use of them. But I kill em off every chance I get.
John
-----Original Message-----
From: Tony Finch [mailto:dot at dotat.at]
Sent: Tuesday, September 24, 2019 2:01 PM
To: John W. Blue
Cc: bind-users at isc.org
Subject: RE: DNSSEC basic information
John W. Blue <john.blue at rrcic.com> wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for about 10 years (so I wasn't around until most of the design arguments were settled), but I don't remember seeing anyone say it wasn't intended for internal zones.
There can be some awkward things that make it much harder than signing a public zone, though:
* if your internal DNS squats on a fake TLD
* if someone says you can't use the same keys to sign internal and
external views
* RFC 1918 reverse DNS
It would be a lot less awkward if there were a good way to distribute trust anchors for internal zones, but sadly there isn't.
> Additionally, if there is an obligation to validate zones internal to
> an organization that in of itself should be a really big red flag
> something is wrong with trust relationships.
That depends a lot on how tightly controlled your org is :-) In my fantasy world the DNS would serve as a convenient PKI for bootstrapping trust; but in the real world it's probably easier to boostrap off private x.509 trust anchors or even ssh certificate auth, rather than DNSSEC, sadface.
> So the nuts and bolts of enabling DNSSEC increases zone data by 30 to
> 40%
More like a factor of 3.5x (number of records) or 10x (bytes of presentation format zone file) based on the cam.ac.uk zone (43k records before signing).
> not to mention the additional crypto load induced if there are
> frequent changes.
You need to be up in the thousands of updates per second before this is a problem - see https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019205.html
> If a split horizon is in use then internal zones typically have more
> records than external.
Yeah, private.cam.ac.uk has 350k records unsigned, but we're possibly being silly about DHCP placeholder records :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth, Biscay: West or southwest 5 to 7, occasionally gale 8 except in Biscay. Moderate or rough in Dover and east Wight, but elsewhere rough or very rough. Showers. Moderate or good.
More information about the bind-users
mailing list