On Wed, 26 Oct 2011, Scott Armitage wrote:
So, here's a third scenario. You could just setup an internal
zone (and wonder if it needs signing, when you can trust your
LAN) and specify in your resolvers (who probably are behind the
same perimeter) the secure entry point of your choice for the
internal view of the zone.
We have considered this but were thinking of using unbound for internal caching
resolvers and would like to check the authenticity of records.
I also wondered whether in future this wouldn't be a problem with continuous
signing (depending on how it is implemented).
You can tell unbound about this DNSSEC secured "phantom" zone
stub-zone:
name:"internal.example.com."
stub-prime:"no"
stub-addr: 192.168.1.1
stub-addr: 192.168.1.2
Then you can add a trusted-key statement for internal.example.com.
unbound then knows that internal.example.com. does not exist in the "world
view",
and it will override any DNSSEC proof that internal.example.com. does not exist,
and uses the local nameservers specified with the local key specified.
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
