DNSSEC signing of an internal zone gains nothing (unless??)
Grant Taylor
gtaylor at tnetconsulting.net
Mon Aug 1 19:20:32 UTC 2022
Let's flip this on it's head.
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
> As some enterprise networks begin to engineer towards the concepts of
> ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
> signing of an internal zone.
So why shouldn't the internal zone(s) be signed?
> Granted, it has long been considered unwise by DNS pro’s with a commonly
> stated reason that it increasing the size of the zone yadda, yadda, yadda.
Are we really going to let the storage capacity / memory consumption of
the DNS server dictate the security posture?
If anything, it seems like this is a justification to upgrade the DNS
server. }:-)
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the AD
> flag will not be set. You will only get the AA flag. So there is
> nothing to be gained from signing an internal zone.
An argument could be made that this seems like an excuse to not sign zones.
> However, I have not tested it yet, I would assume that if a
> non-authoritative internal server was queried it would be able to walk
> the chain of trust and return AD.
I would expect so.
> Thoughts?
Yes; sign the internal zone(s). Upgrade the servers to hold the
(somewhat) larger zone(s) if you need to.
--
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4017 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220801/f1245a3b/attachment.bin>
More information about the bind-users
mailing list