On 26 Oct 2011, at 15:48, Rick van Rein wrote:
Thanks for the quick response Rick. > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi Scott, > >> If I have a different view for external (from the Internet) queries, than >> for internal queries (from my own network), does anyone know if it is >> possible to sign different views with ods? > > So, here's another scenario. You would create two separate > instances of OpenDNSSEC, each signing a version of the zone. > They also create their own KSKs and roll them independently. > Then, using the possibility to enter multiple DS's into the > parent zone, you would simply add one for each in your parent. > > Be sure to use the exact same set of algorithms (probably just > RSA-SHA1 and/or RSA-SHA256) on both zones, or else you will > see failures -- for each algorithm there must be a valid trace > from parent to child; even if you (i.c. BIND) don't check it, > someone else (i.c. Unbound) will. > I might have a go at this, if only to test how feasible it is. > The ugly bit of this is that everyone would see your internal > zone's DS, assuming that you didn't split the parent as well :) > I don't think that would be too much of an issue. > > So, here's a third scenario. You could just setup an internal > zone (and wonder if it needs signing, when you can trust your > LAN) and specify in your resolvers (who probably are behind the > same perimeter) the secure entry point of your choice for the > internal view of the zone. > We have considered this but were thinking of using unbound for internal caching resolvers and would like to check the authenticity of records. I also wondered whether in future this wouldn't be a problem with continuous signing (depending on how it is implemented). Thanks Scott
PGP.sig
Description: This is a digitally signed message part
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
