Re: DNSSEC signing of an internal zone gains nothing (unless??)

Tue, 02 Aug 2022 02:52:23 -0700 

On 01-Aug-22 12:15, John W. Blue wrote:



While that extra overhead is true, it is more accurate to say that if 
internal clients are talking directly to an authoritative server the 
AD flag will not be set.  You will only get the AA flag.  So there is 
nothing to be gained from signing an internal zone.



You can get the AD flag set, with a bit of extra work.  I've done this 
for years.



The question of whether the client resolver does/should trust the AD 
flag is situation dependent.



Before your authoritative view, define a recursive view with the 
internal zones defined as static-stub, match-recursive-only "yes",  and 
a server-address of localhost.  In the authoritative view, you can share 
the cache (attach-cache) with the recursive view.



It's pretty straightforward to automate keeping the static-stub list in 
sync - I keep it in a separate .conf file.


e.g. this outline (the order matters, views are selected first-match)

|view||"r-internal" in {||
||  match-clients {...};
||match-recursive-only yes;
||recursion yes;
   -- standard config --
};|

|/* Included */||
|||

|||-- trusted-keys --

  zone||"example.net" in {||
    type static-stub;
server-addresses {127.0.0.1; };
||   };|

|}:|

|view||"internal" in {||
||attach-cache "r-internal";
||recursion no;|

|  --- standard config --|

|/* included */
|

|  zone "example.net" in {
||auto-dnssec maintain;
||type master;
    file ...;|

|--standard config--
  };|

|||};|


|view "r-external" in { /* if you allow external recursion, or use acls 
to fake external clients */

|

|...|

|};|

|view "external" in {|

|...|

|};
|

A script along the lines of:


|perl -e'while(<>){/^\s*zone/ && print $_," type static-stub;\n  
server-addresses { 127.0.0.1; };  \n}; \n"}' <internal_zones.conf 
>internal_stub_zones.conf|


will generate the static-stub declarations.

Of course, depending on how you add/remove zones, YMMV.

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed.







Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users























					Reply via email to