On Sun, Feb 10, 2013 at 05:57:42PM -0500, Michael W. Lucas wrote: > Is there a way to set up a private trust anchor for internal-only > zones with BIND 9.9? > > I have some local and RFC1918 zones that I'd like to secure. It seems > I should be able to configure a private trust anchor and use that key > to sign these zones. > > I've found, related docs, like draft-jabley-dnssec-trust-anchor-06, > which has great gobs of theory, but nothing on how to actually do this > with BIND. > > Has anyone done this? Or is this just daft?
In my experience the two aren't mutually exclusive, but yes, it does work. Create keys for your local zones, sign them, and put the KSKs into the resolver's named.conf in a "trusted-keys" statement. Then configure the zones as "type forward", with "forwarders" pointing to the authoritative server(s) for your zones. The resolver will then forward queries for those names to the authoritative servers, and validate the responses. (If those weren't enough bread crumbs to show you the way, I can expand on this.) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
