DNSSEC signing of an internal zone gains nothing (unless??)
John W. Blue
john.blue at rrcic.com
Mon Aug 1 16:15:10 UTC 2022
As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM's asking for the DNSSEC signing of an internal zone.
Granted, it has long been considered unwise by DNS pro's with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.
While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set. You will only get the AA flag. So there is nothing to be gained from signing an internal zone.
However, I have not tested it yet, I would assume that if a non-authoritative internal server was queried it would be able to walk the chain of trust and return AD.
Thoughts?
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220801/4bc85db8/attachment.htm>
More information about the bind-users
mailing list