On Sun, Feb 10, 2013 at 11:26:27PM +0000, Evan Hunt wrote: > On Sun, Feb 10, 2013 at 05:57:42PM -0500, Michael W. Lucas wrote: > > Is there a way to set up a private trust anchor for internal-only > > zones with BIND 9.9? > > > > I have some local and RFC1918 zones that I'd like to secure. It seems > > I should be able to configure a private trust anchor and use that key > > to sign these zones. > > > > I've found, related docs, like draft-jabley-dnssec-trust-anchor-06, > > which has great gobs of theory, but nothing on how to actually do this > > with BIND. > > > > Has anyone done this? Or is this just daft? > > In my experience the two aren't mutually exclusive, but yes, it does work. > Create keys for your local zones, sign them, and put the KSKs into the > resolver's named.conf in a "trusted-keys" statement. Then configure the > zones as "type forward", with "forwarders" pointing to the authoritative > server(s) for your zones. The resolver will then forward queries for those > names to the authoritative servers, and validate the responses. > > (If those weren't enough bread crumbs to show you the way, I can expand > on this.)
I specialize in daft practicality, thank you. Sounds fairly straightforward. I appreciate the hints, should be able to take it from here. Thanks much! ==ml -- Michael W. Lucas http://www.MichaelWLucas.com/, http://blather.MichaelWLucas.com/ Latest book: SSH Mastery http://www.michaelwlucas.com/nonfiction/ssh-mastery mwlu...@michaelwlucas.com, Twitter @mwlauthor _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
