DNSSEC signing of an internal zone gains nothing (unless??)
Grant Taylor
gtaylor at tnetconsulting.net
Mon Aug 1 16:29:29 UTC 2022
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the AD
> flag will not be set. You will only get the AA flag. So there is
> nothing to be gained from signing an internal zone.
I feel like that's an unacceptably big if. It also precludes clients
from doing client side DNSSEC validation.
Finally, why hold internal systems to a lower security standard than
external systems?
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220801/5e15b3ad/attachment.bin>
More information about the bind-users
mailing list