Also do not disagree. However, the intent of the thread is to talk about the lack of an AD flag from a non-public internal authoritative server. Based upon what I am seeing only the AA flag is set.
John -----Original Message----- From: John Franklin [mailto:frank...@sentaidigital.com] Sent: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On Aug 1, 2022, at 12:15, John W. Blue via bind-users <bind-users@lists.isc.org> wrote: > > As some enterprise networks begin to engineer towards the concepts of > ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of > an internal zone. > > Granted, it has long been considered unwise by DNS pro’s with a commonly > stated reason that it increasing the size of the zone yadda, yadda, yadda. > [snip] > Thoughts? DNSSEC enables use of certain security RRs, such as SSHA and TLSA, which can be used as part of a zero trust solution in DevOps pipelines. It’s also good practice managing DNSSEC before deploying it in public production sites. jf -- John Franklin frank...@sentaidigital.com -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
