DNSSEC signing of an internal zone gains nothing (unless??)

[Ondřej Surý]

Don’t mix functions - separate your recursive and your authoritative (internal) servers. Then you can have the AD from the resolver.

That said, the AD from the resolver means something only if the last mile is trusted.

But DNSSEC also asserts the integrity of the zone in case it’s transferred to secondaries, or provided by a secure signing system, etc…

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

> On 1. 8. 2022, at 18:40, John W. Blue via bind-users <bind-users at lists.isc.org> wrote:
> 
> And that is my point .. show me your +dnssec dig against an internal authoritative server that has AD set.
> 
> John
> 
> -----Original Message-----
> From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of Grant Taylor via bind-users
> Sent: Monday, August 1, 2022 11:29 AM
> To: bind-users at lists.isc.org
> Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
> 
>> On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
>> While that extra overhead is true, it is more accurate to say that if 
>> internal clients are talking directly to an authoritative server the 
>> AD flag will not be set.  You will only get the AA flag.  So there is 
>> nothing to be gained from signing an internal zone.
> 
> I feel like that's an unacceptably big if.  It also precludes clients from doing client side DNSSEC validation.
> 
> Finally, why hold internal systems to a lower security standard than external systems?
> 
> 
> 
> -- 
> Grant. . . .
> unix || die
> 
> -- 
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.
> 
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users