DNSSEC signing of an internal zone gains nothing (unless??)

[Peter]

On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote:

! You can get the AD flag set, with a bit of extra work.  I've done this for
! years.

Thanks for Your message, Timothe.
After investigating the matter, I had figured out a similar approach -
but didn't know if this is a recommended or commonly used way. There
is only a paper somewhere in the depths of ISC describing how to do
that for a root-slave. Anyway, it appears to work.
I finally created 6-way servers by using some extra addresses on lo0
(auth+recursing for root+intranet+public) and then found the result
suitable structured and maintainable.

! Before your authoritative view, define a recursive view with the internal
! zones defined as static-stub, match-recursive-only "yes",  and a
! server-address of localhost. 

Uh? Why before?

My approach so far:

view "rootslave" {
        match-clients { fdff::1; };
        allow-query-cache { none; };
        allow-recursion { none; };
        recursion no;
	<root-zones go here>
};
view "intraslave" {
        match-clients { fdff::2; key "slave1"; };
        allow-query-cache { none; };
        allow-recursion { none; };
        recursion no;
	<intranet zones go here>
};
view "extraslave" {
        match-clients { key "slave1extra"; };
        allow-query-cache { none; };
        allow-recursion { none; };
        recursion no;
	<public zones go here>
};
view "guest" {            // public WLAN etc.
        match-clients { ... };
	<root-zones as 'static-stub' from fdff::1>
	// not yet deployed, needs clarification
};
view "desktop" {        // user devices
        match-clients { ... };
	<root-zones 'in-view "guest"'>
	<intranet zones as 'static-stub' from fdff::2>
	<adblocker etc.>
};
view "intra" {
        match-clients { <all intranet> };
	<root-zones 'in-view "guest"'>
	<intranet zones 'in-view "desktop"'>
};
view "public" {   // external sites allowed to use recursing
        match-clients { ... } ;
	// not yet deployed, needs evaluation
};
view "external" { // fall-through
        match-clients { any; } ;
        allow-query-cache { none; };
        allow-recursion { none; };
        recursion no;
        zone "." {       // is this necessary? (something didn't work without)
                type hint;
                file "/usr/local/etc/namedb/named.root";
        };
	<public zones 'in-view "extraslave"'>
};


Sure this could also be done by running 2 or 3 instances, and probably
more safe - but where would be the fun then?


-- PMc