Mark Andrews wrote: > In message <4a99abeb.7080...@hauke-lampe.de>, Hauke Lampe writes:
>> I am looking for way to disable DNSSEC lookaside validation for a given >> zone. >> >> For any query to this zone, BIND tries to look up >> example.net.dlv.isc.org DLV records. If the external internet connection >> is down and the DLV record not cached, internal hostname resolution >> fails because BIND cannot prove the zone's insecure state. > > Just sign your internal zone and add a trusted-keys clause for it > and you won't use DLV. named only uses dlv if the zone is provably > insecure based on the trust-anchors configured. That's what I was trying to avoid for now. The internal zone doesn't lend itself very well to DNSSEC-signing yet. Also, name resolution failures for internal hostnames like LDAP servers or kerberos names can cause a lot of trouble. I would have a hard time justifying the benefits of DNSSEC validation if it bears the risk of disrupting the internal network every time the SDSL connection congests or a local zone admin manages to wreck the signatures. What we try to achieve is: - Validate DNSSEC signatures on resolvers close to the clients, using dlv.isc.org - Keep internal name resolution functioning, even if the connection to the outer internet is down I see the following options to do this. Please correct me if I missed some: 1. Sign the internal zone and configure trust-anchors on each resolver. We really don't want to go there right now 2. Tell BIND about known-insecure zones, so it won't try to locate DLV records, eg. "dnssec-must-be-secure example.net never". Not possible without changes to BIND, AFAICS. 3. Mirror the DLV zone locally, so that interruptions in the internet connection won't block internal name resolution. We would probably use this as an interim solution until either 1. or 2. is available. I know I could simply recreate the DLV zone with dnssec-walker. An official distribution via [AI]XFR, rsync or HTTP would be much appreciated, though. Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
