On 2023-09-01 4:16, Roman Serbski via nsd-users wrote:
NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say
mydomain.org) to the world.
I've been approached by a customer with the request to include certain
records into mydomain.org zone which will be resolvable only from
their premises.
I'm thinking to setup a pair of unbound instances, ask the customer to
configure conditional forwarding for mydomain.org to those unbound
instances, and serve requested records by unbound, while the rest of
the zone will be handled by NSD.
I think this will break DNSSEC for them -- do you think this is the
right approach? Any ideas would be very much appreciated.
It will break DNSSEC. It's also a bad idea to only have some of the
scopes signed. They should either be all signed, or none of them signed.
To do DNSSEC with split-horizon, you need separate, individually-signed,
per-scope zonefiles. It works, but cache cross-contamination is a
radical podatric procedure waiting to happen.
The BCP is to not use split-horizon with DNSSEC. Instead use routing
tricks like anycast or local more-specifics, or put the private RRset
under its own authoritative zone.
_______________________________________________
nsd-users mailing list
nsd-users@lists.nlnetlabs.nl
https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
