> If I were using .internal names, I would configure them in unbound > exactly the same way that I configure the rDNS for 192.168/16 and > >onion and the other zones it's preconfigured to serve. If you ask > for DNSSEC, it says it's unsigned. > > If someone is about to say but then if I do my own DNSSEC checks > in my end device it won't work.
That's too simple. If you do your own DNSSEC checks and forward to a local recursor then home.arpa. will work because it is an insecure delegation. As it stands today, internal is not delegated so it only works on the recursor where internal is configured but not on any other DNSSEC validator. In my opinion, that's quite a big difference. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
