On 01. 08. 22 18:15, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of
ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
signing of an internal zone.
Granted, it has long been considered unwise by DNS pro’s with a commonly
On Wed, Aug 03, 2022 at 04:49:35PM +1000, Mark Andrews wrote:
! Additionally authoritative servers for a zone are supposed to answer queries
with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED
is the wrong answer of the query name involves zones you serve. Only if you a
On Tue, Aug 02, 2022 at 02:04:22PM -0400, Timothe Litt wrote:
! On 02-Aug-22 13:18, Peter wrote:
! > On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
! > !
Additionally authoritative servers for a zone are supposed to answer queries with RD=1 set with RA=0 if the client is not being offered recursion. REFUSED is the wrong answer of the query name involves zones you serve. Only if you are a recursive only server should you be considering REFUSED. -- M
On 02-Aug-22 13:18, Peter wrote:
On Tue, Aug 02, 2022 at 11:54:02AM -0400, Timothe Litt wrote:
!
! On 02-Aug-22 11:09,bind-users-requ...@lists.isc.org wrote:
!
! > | Before your authoritative view, define a recursive view with the internal
! > ! zones defined as static-stub, match-recursive-only
On Tue, Aug 02, 2022 at 05:51:28AM -0400, Timothe Litt wrote:
! You can get the AD flag set, with a bit of extra work. I've done this for
! years.
Thanks for Your message, Timothe.
After investigating the matter, I had figured out a similar approach -
but didn't know if this is a recommended or
On 01-Aug-22 12:15, John W. Blue wrote:
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the
AD flag will not be set. You will only get the AA flag. So there is
nothing to be gained from signing an interna
DNSSEC is designed to be validated in the application. That applies equally to
internal zones as it does to external zones. One procedure for them all.
--
Mark Andrews
> On 1 Aug 2022, at 11:15, John W. Blue via bind-users
> wrote:
>
>
> As some enterprise networks begin to engineer towar
Let's flip this on it's head.
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of
ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
signing of an internal zone.
So why shouldn't the internal zone(s) be s
; Sent: Monday, August 1, 2022 11:29 AM
> To: bind-users@lists.isc.org
> Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
>
>> On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
>> While that extra overhead is true, it is more accurate to sa
Also John .. how SSHA and TLSA be used if the internal zone fails validation?
John
-Original Message-
From: John Franklin [mailto:frank...@sentaidigital.com]
Sent: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal
-only zones
authoritatively from their recursive servers”
John
From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Mark
Elkins via bind-users
Sent: Monday, August 1, 2022 1:12 PM
To: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless
seeing only
the AA flag is set.
John
-Original Message-
From: John Franklin [mailto:frank...@sentaidigital.com]
Sent: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
On Aug 1, 2022, at
On 8/1/22 11:51 AM, John W. Blue via bind-users wrote:
However, the intent of the thread is to talk about the lack of an
AD flag from a non-public internal authoritative server. Based upon
what I am seeing only the AA flag is set.
There are multiple reasons to sign zones. The existence of th
: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
On Aug 1, 2022, at 12:15, John W. Blue via bind-users
wrote:
>
> As some enterprise networks begin to engineer towards the conce
@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
> While that extra overhead is true, it is more accurate to say that if
> internal clients are talking directly to an authoritative server the
> AD
On 8/1/22 10:15 AM, John W. Blue via bind-users wrote:
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the AD
flag will not be set. You will only get the AA flag. So there is
nothing to be gained from signi
17 matches
Mail list logo