DNSSEC signing of an internal zone gains nothing (unless??)
John W. Blue
john.blue at rrcic.com
Mon Aug 1 18:31:55 UTC 2022
Also John .. how SSHA and TLSA be used if the internal zone fails validation?
John
-----Original Message-----
From: John Franklin [mailto:franklin at sentaidigital.com]
Sent: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users at lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
On Aug 1, 2022, at 12:15, John W. Blue via bind-users <bind-users at lists.isc.org> wrote:
>
> As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of an internal zone.
>
> Granted, it has long been considered unwise by DNS pro’s with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.
> [snip]
> Thoughts?
DNSSEC enables use of certain security RRs, such as SSHA and TLSA, which can be used as part of a zero trust solution in DevOps pipelines. It’s also good practice managing DNSSEC before deploying it in public production sites.
jf
--
John Franklin
franklin at sentaidigital.com
More information about the bind-users
mailing list