Let's flip this on it's head. On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of an internal zone.
So why shouldn't the internal zone(s) be signed?
Granted, it has long been considered unwise by DNS pro’s with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.
Are we really going to let the storage capacity / memory consumption of the DNS server dictate the security posture?
If anything, it seems like this is a justification to upgrade the DNS server. }:-)
While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set. You will only get the AA flag. So there is nothing to be gained from signing an internal zone.
An argument could be made that this seems like an excuse to not sign zones.
However, I have not tested it yet, I would assume that if a non-authoritative internal server was queried it would be able to walk the chain of trust and return AD.
I would expect so.
Thoughts?
Yes; sign the internal zone(s). Upgrade the servers to hold the (somewhat) larger zone(s) if you need to.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
