DNSSEC and forward zone
Petr Menšík
pemensik at redhat.com
Fri Apr 21 09:59:26 UTC 2023
Would it make sense to create a subdomain for internal use, but have the
main zone signed with external records only? Is it possible to make
changes to names?
Can you make for example in.ubi.pt just internal only, not accessible
from outside?
If you want to have your external zone signed with DNSSEC, then internal
zone has to be signed with DNSSEC too. You can workaround different KSK
keys by adding trust anchor to all your validating resolvers. A bit
better solution would be adding DS record to parent pt zone also for
internal KSK key.
If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA,
then it can be not signed, when the main ubi.pt zone is. But the
indication from the parent has to match. Both zones have to be signed or
none. Internal zone would work too with trust-anchor explicitly added to
your resolvers. Unless you want to ignore your own zone signatures,
internal zone should be signed too.
On 4/19/23 11:49, David Carvalho via bind-users wrote:
>
> Hi and thanks for the reply.
>
> Does it make sense to not validate my parent domain entirely? Wouldn’t
> that also stop exterior validation when I request it?
>
> Thanks!
>
> David
>
> *From:*Darren Ankney <darren.ankney at gmail.com>
> *Sent:* 19 April 2023 10:27
> *To:* David Carvalho <david at di.ubi.pt>
> *Cc:* Bind Users Mailing List <bind-users at lists.isc.org>
> *Subject:* Re: DNSSEC and forward zone
>
> Hi David,
>
> You can disable validation on one or more domains using
> "validate-except" -
> https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except
>
> Thank you,
>
> Darren Ankney
>
> On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users
> <bind-users at lists.isc.org> wrote:
>
> Hello guys
>
> Asking for your help, again.
>
> So after setting up DNSSEC I’ve found I couldn’t reach some
> internal sites on my top domain, served by internal DNS servers
>
> There’s no need in hiding domains as my e-mail is shown here.
>
> Top domain
>
>
>
>
>
>
> ubi.pt <http://ubi.pt> (external DNS Servers authoritative)
>
> Internal DNS servers (windows, Active directory - Recursive)
>
> Internalsite1.ubi.pt <http://Internalsite1.ubi.pt>
>
> Internalsite2.ubi.pt <http://Internalsite2.ubi.pt>
>
> …
>
> di.ubi.pt <http://di.ubi.pt>
>
> (both authoritative and recursive for my networks)
>
> Previously I had the following to get internal sites resolved, but
> now it seems it is completely discarded by dnssec.
>
> zone "ubi.pt <http://ubi.pt>" IN {
>
> type forward;
>
> forwarders { 192.168.100.1; 192.168.100.2; };
>
> }
>
> Is there any configuration to allow me to be able to access
> internal sites served by internal dns servers, I guess not using
> DNSSEC?
>
> Can this only be accomplished by adding these entries to my parent
> domain?
>
> Thanks!
>
> Kind regards
>
> David Carvalho
>
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
>
--
Petr Menšík
Software Engineer, RHEL
Red Hat,https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/9cb07405/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 252 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/9cb07405/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4514 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/9cb07405/attachment-0003.png>
More information about the bind-users
mailing list