Re: DNSSEC and split DNS

Wed, 23 Oct 2013 16:30:27 -0700 

        You sign all versions of the zone.

        As for key management you can:

        * use the same keys in all views which makes mobile device
          management simpler as there is no need to distribute keys.
          Validating from the root will work in all cases though
          there is still something to be said for distributing keys
          for local zones locally as this prevents resolution
          failures when the site is disconnected from the rest of
          the world.

        * different keys per view.  You will need to distribute the
          keys and for mobile devices they will need all sets of
          keys as they see both the internal and external views
          depending apon where they attach to the network and whether
          there is a VPN active.  For fixed devices different keys
          will cause data leakage to be rejected as the leaked data
          won't validate.

        You can change strategy if you pick the wrong one.

        Mark

In message <526857a2.8050...@networktest.com>, David Newman writes:
> What is the recommended practice for adding DNSSEC to an environment
> that currently uses split DNS?
> 
> Apologies as I'm sure this has come up before, but most discussion I
> found on bind-users was from 1999, and this isn't covered in the ARM.
> 
> I did find this draft (not RFC) from 2007, but even the author
> acknowledges that some examples given can invite misconfiguration:
> 
> http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04
> 
> On the surface, split DNS and DNSSEC have seemingly opposite goals: One
> seeks to provide different responses to queries for the same resource,
> and the other seeks to prevent it.
> 
> Is there some way of reconciling these?
> 
> Thanks
> 
> dn
> 
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to