DNSSEC and forward zone

David Carvalho david at di.ubi.pt
Fri Apr 21 11:15:04 UTC 2023 

Hi, thanks for the reply.

There really is not much I can tell you about my parent zone. For now, I made an exclusion with “validate-except” and everything seems to be working fine both internally and externally.

Not sure about your first suggestion, as the top domain is also served internally by Active Directory. The clients “think” it is the main domain server (except my networks which use my dns servers).

 

“A bit better solution would be adding DS record to parent pt zone also for internal KSK key.” – I think this is the possibility they are studying. Unfortunately I don’t know that much about the parent setup.

Anyway, thanks and regards!

David

 

 

From: bind-users <bind-users-bounces at lists.isc.org> On Behalf Of Petr Menšík
Sent: 21 April 2023 10:59
To: bind-users at lists.isc.org
Subject: Re: DNSSEC and forward zone

 

Would it make sense to create a subdomain for internal use, but have the main zone signed with external records only? Is it possible to make changes to names?

Can you make for example in.ubi.pt just internal only, not accessible from outside?

If you want to have your external zone signed with DNSSEC, then internal zone has to be signed with DNSSEC too. You can workaround different KSK keys by adding trust anchor to all your validating resolvers. A bit better solution would be adding DS record to parent pt zone also for internal KSK key.

If you make internalsite2.ubi.pt unsigned zone, with own NS and SOA, then it can be not signed, when the main ubi.pt zone is. But the indication from the parent has to match. Both zones have to be signed or none. Internal zone would work too with trust-anchor explicitly added to your resolvers. Unless you want to ignore your own zone signatures, internal zone should be signed too.

On 4/19/23 11:49, David Carvalho via bind-users wrote:

 

Hi and thanks for the reply.

Does it make sense to not validate my parent domain entirely? Wouldn’t that also stop exterior validation when I request it?

Thanks!

David

 

From: Darren Ankney  <mailto:darren.ankney at gmail.com> <darren.ankney at gmail.com> 
Sent: 19 April 2023 10:27
To: David Carvalho  <mailto:david at di.ubi.pt> <david at di.ubi.pt>
Cc: Bind Users Mailing List  <mailto:bind-users at lists.isc.org> <bind-users at lists.isc.org>
Subject: Re: DNSSEC and forward zone

 

Hi David,

 

You can disable validation on one or more domains using "validate-except" - https://bind9.readthedocs.io/en/latest/reference.html#namedconf-statement-validate-except

 

Thank you,

 

Darren Ankney

 

On Wed, Apr 19, 2023 at 5:05 AM David Carvalho via bind-users <bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> > wrote:

Hello guys

Asking for your help, again.

 

So after setting up DNSSEC I’ve found I couldn’t reach some internal sites on my top domain, served by internal DNS servers

There’s no need in hiding domains as my e-mail is shown here.

 

Top domain

	
	


 

 




ubi.pt <http://ubi.pt>  (external DNS Servers authoritative)

 

          Internal DNS servers (windows, Active directory - Recursive)

    Internalsite1.ubi.pt <http://Internalsite1.ubi.pt> 

                   Internalsite2.ubi.pt <http://Internalsite2.ubi.pt> 

                …

 

 

di.ubi.pt <http://di.ubi.pt>  

(both authoritative and recursive for my networks)

 

Previously I had the following to get internal sites resolved, but now it seems it is completely discarded by dnssec.

 

zone "ubi.pt <http://ubi.pt> " IN {

        type forward;

        forwarders { 192.168.100.1; 192.168.100.2; };

}

 

Is there any configuration to allow me  to be able to access internal sites served by internal dns servers, I guess not using DNSSEC?

Can this only be accomplished by adding these entries to my parent domain?

Thanks!

 

Kind regards

David Carvalho

-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users at lists.isc.org <mailto:bind-users at lists.isc.org> 
https://lists.isc.org/mailman/listinfo/bind-users





-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/6af03a19/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 252 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/6af03a19/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 4514 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20230421/6af03a19/attachment-0003.png>

More information about the bind-users mailing list