Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-04 Thread Petr Špaček
On 01. 08. 22 18:15, John W. Blue via bind-users wrote: As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware:  PM’s asking for the DNSSEC signing of an internal zone. Granted, it has long been considered unwise by DNS pro’s with a commonly

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-03 Thread Peter
On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote: ! Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you a

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-03 Thread Peter
On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote: ! On 02-Aug-22 13:18, Peter wrote: ! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! > !

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Mark Andrews
Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion.  REFUSED is the wrong answer of the query name involves zones you serve. Only if you are a recursive only server should you be considering REFUSED. -- M

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Timothe Litt
On 02-Aug-22 13:18, Peter wrote: On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote: ! ! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote: ! ! > | Before your authoritative view, define a recursive view with the internal ! > ! zones defined as static-stub, match-recursive-only

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Peter
On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote: ! You can get the AD flag set, with a bit of extra work.  I've done this for ! years. Thanks for Your message, Timothe. After investigating the matter, I had figured out a similar approach - but didn't know if this is a recommended or

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-02 Thread Timothe Litt
On 01-Aug-22 12:15, John W. Blue wrote: While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set.  You will only get the AA flag.  So there is nothing to be gained from signing an interna

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Mark Andrews
DNSSEC is designed to be validated in the application. That applies equally to internal zones as it does to external zones. One procedure for them all. -- Mark Andrews > On 1 Aug 2022, at 11:15, John W. Blue via bind-users > wrote: > >  > As some enterprise networks begin to engineer towar

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Grant Taylor via bind-users
Let's flip this on it's head. On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware:  PM’s asking for the DNSSEC signing of an internal zone. So why shouldn't the internal zone(s) be s

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Ondřej Surý
; Sent: Monday, August 1, 2022 11:29 AM > To: bind-users@lists.isc.org > Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) > >> On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: >> While that extra overhead is true, it is more accurate to sa

RE: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread John W. Blue via bind-users
Also John .. how SSHA and TLSA be used if the internal zone fails validation? John -Original Message- From: John Franklin [mailto:frank...@sentaidigital.com] Sent: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal

RE: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread John W. Blue via bind-users
-only zones authoritatively from their recursive servers” John From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark Elkins via bind-users Sent: Monday, August 1, 2022 1:12 PM To: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Mark Elkins via bind-users
seeing only the AA flag is set. John -Original Message- From: John Franklin [mailto:frank...@sentaidigital.com] Sent: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On Aug 1, 2022, at

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Grant Taylor via bind-users
On 8/1/22 11:51 AM, John W. Blue via bind-users wrote: However, the intent of the thread is to talk about the lack of an AD flag from a non-public internal authoritative server. Based upon what I am seeing only the AA flag is set. There are multiple reasons to sign zones. The existence of th

RE: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread John W. Blue via bind-users
: Monday, August 1, 2022 12:45 PM To: John W. Blue Cc: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On Aug 1, 2022, at 12:15, John W. Blue via bind-users wrote: > > As some enterprise networks begin to engineer towards the conce

RE: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread John W. Blue via bind-users
@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: > While that extra overhead is true, it is more accurate to say that if > internal clients are talking directly to an authoritative server the > AD

Re: DNSSEC signing of an internal zone gains nothing (unless??)

2022-08-01 Thread Grant Taylor via bind-users
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set.  You will only get the AA flag.  So there is nothing to be gained from signi