DNSSEC signing of an internal zone gains nothing (unless??)
Petr Špaček
pspacek at isc.org
Thu Aug 4 08:45:44 UTC 2022
On 01. 08. 22 18:15, John W. Blue via bind-users wrote:
> As some enterprise networks begin to engineer towards the concepts of
> ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
> signing of an internal zone.
>
> Granted, it has long been considered unwise by DNS pro’s with a commonly
> stated reason that it increasing the size of the zone yadda, yadda, yadda.
>
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the AD
> flag will not be set. You will only get the AA flag. So there is
> nothing to be gained from signing an internal zone.
>
> However, I have not tested it yet, I would assume that if a
> non-authoritative internal server was queried it would be able to walk
> the chain of trust and return AD.
>
> Thoughts?
I think it's worth reading
https://datatracker.ietf.org/doc/html/draft-krishnaswamy-dnsop-dnssec-split-view
Keep in mind it is 15 years old, but it will give you an idea about
various points of view.
--
Petr Špaček
More information about the bind-users
mailing list