On Jun 24, 2014, at 4:29 PM, Matthew Ghali <mgh...@snark.net> wrote:
> Hi PHB- I'm curious when this scheme would be simpler to implement or less > expensive to operate as opposed to using a delegated internal subdomain of an > existing parent domain registration (see corp.verio.net modulo the > psychopathic NS rrset). I'm certainly no authority but everyone seems to have > a much more complicated solution to what I've always found to be a simple > problem. Is it the old "never expose 1918 addresses in public DNS" fetish, or > the related "must not expose secret internal names via DNS" paranoia? It's possible to have an 'internally' visible zone, but the 'corp.verio.net' example I provided is somewhat like the worst of both worlds. You detail a lot about your zone and internal server IPs without any security benefit at all. One should (ideally) not respond with ULA or 1918 addresses in your AAAA or A responses as the behavior can be undefined. What you don't want is to be delegating everything so far that you may have a host querying for an internal resource sending everyone talking to their own local 10.x DNS server because of the way you established NS records. Your VPN and internal resolvers can be an authority on "corp.example.com" without exposing that to the broader internet. - jared _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs