DNSSEC is designed to be validated in the application. That applies equally to internal zones as it does to external zones. One procedure for them all.
-- Mark Andrews > On 1 Aug 2022, at 11:15, John W. Blue via bind-users > <bind-users@lists.isc.org> wrote: > > > As some enterprise networks begin to engineer towards the concepts of > ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC signing of > an internal zone. > > Granted, it has long been considered unwise by DNS pro’s with a commonly > stated reason that it increasing the size of the zone yadda, yadda, yadda. > > While that extra overhead is true, it is more accurate to say that if > internal clients are talking directly to an authoritative server the AD flag > will not be set. You will only get the AA flag. So there is nothing to be > gained from signing an internal zone. > > However, I have not tested it yet, I would assume that if a non-authoritative > internal server was queried it would be able to walk the chain of trust and > return AD. > > Thoughts? > > John > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
