DNSSEC signing of an internal zone gains nothing (unless??)
Timothe Litt
litt at acm.org
Tue Aug 2 09:51:28 UTC 2022
On 01-Aug-22 12:15, John W. Blue wrote:
>
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the
> AD flag will not be set. You will only get the AA flag. So there is
> nothing to be gained from signing an internal zone.
>
You can get the AD flag set, with a bit of extra work. I've done this
for years.
The question of whether the client resolver does/should trust the AD
flag is situation dependent.
Before your authoritative view, define a recursive view with the
internal zones defined as static-stub, match-recursive-only "yes", and
a server-address of localhost. In the authoritative view, you can share
the cache (attach-cache) with the recursive view.
It's pretty straightforward to automate keeping the static-stub list in
sync - I keep it in a separate .conf file.
e.g. this outline (the order matters, views are selected first-match)
|view||"r-internal" in {||
|| match-clients {...};
||match-recursive-only yes;
||recursion yes;
-- standard config --
};|
|/* Included */||
|||
|||-- trusted-keys --
zone||"example.net" in {||
type static-stub;
server-addresses {127.0.0.1; };
|| };|
|}:|
|view||"internal" in {||
||attach-cache "r-internal";
||recursion no;|
| --- standard config --|
|/* included */
|
| zone "example.net" in {
||auto-dnssec maintain;
||type master;
file ...;|
|--standard config--
};|
|||};|
|view "r-external" in { /* if you allow external recursion, or use acls
to fake external clients */
|
|...|
|};|
|view "external" in {|
|...|
|};
|
A script along the lines of:
|perl -e'while(<>){/^\s*zone/ && print $_," type static-stub;\n
server-addresses { 127.0.0.1; }; \n}; \n"}' <internal_zones.conf
>internal_stub_zones.conf|
will generate the static-stub declarations.
Of course, depending on how you add/remove zones, YMMV.
Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/6a93f7b6/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 495 bytes
Desc: OpenPGP digital signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220802/6a93f7b6/attachment.sig>
More information about the bind-users
mailing list