DNSSEC signing of an internal zone gains nothing (unless??)

Timothe Litt litt at acm.org
Tue Aug 2 09:51:28 UTC 2022 

On 01-Aug-22 12:15, John W. Blue wrote:
>
> While that extra overhead is true, it is more accurate to say that if 
> internal clients are talking directly to an authoritative server the 
> AD flag will not be set.  You will only get the AA flag.  So there is 
> nothing to be gained from signing an internal zone.
>
You can get the AD flag set, with a bit of extra work.  I've done this 
for years.

The question of whether the client resolver does/should trust the AD 
flag is situation dependent.

Before your authoritative view, define a recursive view with the 
internal zones defined as static-stub, match-recursive-only "yes",  and 
a server-address of localhost.  In the authoritative view, you can share 
the cache (attach-cache) with the recursive view.

It's pretty straightforward to automate keeping the static-stub list in 
sync - I keep it in a separate .conf file.

e.g. this outline (the order matters, views are selected first-match)

|view||"r-internal" in {||
||  match-clients {...};
||match-recursive-only yes;
||recursion yes;
    -- standard config --
};|

|/* Included */||
|||

|||-- trusted-keys --

   zone||"example.net" in {||
     type static-stub;
server-addresses {127.0.0.1; };
||   };|

|}:|

|view||"internal" in {||
||attach-cache "r-internal";
||recursion no;|

|  --- standard config --|

|/* included */
|

|  zone "example.net" in {
||auto-dnssec maintain;
||type master;
     file ...;|

|--standard config--
   };|

|||};|

|view "r-external" in { /* if you allow external recursion, or use acls 
to fake external clients */
|

|...|

|};|

|view "external" in {|

|...|

|};
|

A script along the lines of:

|perl -e'while(<>){/^\s*zone/ && print $_," type static-stub;\n  
server-addresses { 127.0.0.1; };  \n}; \n"}' <internal_zones.conf 
 >internal_stub_zones.conf|

will generate the static-stub declarations.

Of course, depending on how you add/remove zones, YMMV.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.




-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/6a93f7b6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/6a93f7b6/attachment.sig>

More information about the bind-users mailing list