DNSSEC basic information

John W. Blue john.blue at rrcic.com
Tue Sep 24 19:52:32 UTC 2019 

Tony,

Thanks for the observations!

My comments about intent and zone data size is based upon information that was presented at Infoblox training classes I have attended.  I would assume that Infoblox being Infoblox would be (mostly) accurate when it comes to developing a slide deck.  However, context is everything.

.local et al TLD's have forever been a burr under my saddle and I know that many on this list will see no objection to the use of them.  But I kill em off every chance I get.

John

-----Original Message-----
From: Tony Finch [mailto:dot at dotat.at] 
Sent: Tuesday, September 24, 2019 2:01 PM
To: John W. Blue
Cc: bind-users at isc.org
Subject: RE: DNSSEC basic information

John W. Blue <john.blue at rrcic.com> wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I 
> understand it, that was not the intent.

I'm a relative newcomer having only done DNSSEC for about 10 years (so I wasn't around until most of the design arguments were settled), but I don't remember seeing anyone say it wasn't intended for internal zones.

There can be some awkward things that make it much harder than signing a public zone, though:

  * if your internal DNS squats on a fake TLD

  * if someone says you can't use the same keys to sign internal and
    external views

  * RFC 1918 reverse DNS

It would be a lot less awkward if there were a good way to distribute trust anchors for internal zones, but sadly there isn't.

> Additionally, if there is an obligation to validate zones internal to 
> an organization that in of itself should be a really big red flag 
> something is wrong with trust relationships.

That depends a lot on how tightly controlled your org is :-) In my fantasy world the DNS would serve as a convenient PKI for bootstrapping trust; but in the real world it's probably easier to boostrap off private x.509 trust anchors or even ssh certificate auth, rather than DNSSEC, sadface.

> So the nuts and bolts of enabling DNSSEC increases zone data by 30 to 
> 40%

More like a factor of 3.5x (number of records) or 10x (bytes of presentation format zone file) based on the cam.ac.uk zone (43k records before signing).

> not to mention the additional crypto load induced if there are 
> frequent changes.

You need to be up in the thousands of updates per second before this is a problem - see https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019205.html

> If a split horizon is in use then internal zones typically have more 
> records than external.

Yeah, private.cam.ac.uk has 350k records unsigned, but we're possibly being silly about DHCP placeholder records :-)

Tony.
--
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/ Dover, Wight, Portland, Plymouth, Biscay: West or southwest 5 to 7, occasionally gale 8 except in Biscay. Moderate or rough in Dover and east Wight, but elsewhere rough or very rough. Showers. Moderate or good.

More information about the bind-users mailing list