In message <5268626c.8040...@networktest.com>, David Newman writes: > On 10/23/13 4:28 PM, Mark Andrews wrote: > > You sign all versions of the zone. > > > > As for key management you can: > > > > * use the same keys in all views which makes mobile device > > management simpler as there is no need to distribute keys. > > Validating from the root will work in all cases though > > there is still something to be said for distributing keys > > for local zones locally as this prevents resolution > > failures when the site is disconnected from the rest of > > the world. > > > > * different keys per view. You will need to distribute the > > keys and for mobile devices they will need all sets of > > keys as they see both the internal and external views > > depending apon where they attach to the network and whether > > there is a VPN active. For fixed devices different keys > > will cause data leakage to be rejected as the leaked data > > won't validate. > > > > You can change strategy if you pick the wrong one. > > Thanks, makes sense. > > What about delegation? Right now, there is none between external zones > and internal forward zones using RFC 1918 addresses. > > I *think* option 1 would require, for example, example.org's zone to > include delegation and glue records for internal.example.org to keep the > chain of trust intact. > > And I *think* option 2 in theory could be set up as an island of trust, > with no delegation from parent domains.
You can * add the delegation for internal.example.org to example.org and make it visible to the world with a appropriate acl on internal.example.org. * have two version of example.org, one with and one without the delegation for internal.example.org. * you can add a trust anchor for internal.example.org. As more validation takes place in applications the first two will be easier to mangage. > True? > > Thanks again > > dn > > > > > Mark > > > > In message <526857a2.8050...@networktest.com>, David Newman writes: > >> What is the recommended practice for adding DNSSEC to an environment > >> that currently uses split DNS? > >> > >> Apologies as I'm sure this has come up before, but most discussion I > >> found on bind-users was from 1999, and this isn't covered in the ARM. > >> > >> I did find this draft (not RFC) from 2007, but even the author > >> acknowledges that some examples given can invite misconfiguration: > >> > >> http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04 > >> > >> On the surface, split DNS and DNSSEC have seemingly opposite goals: One > >> seeks to provide different responses to queries for the same resource, > >> and the other seeks to prevent it. > >> > >> Is there some way of reconciling these? > >> > >> Thanks > >> > >> dn > >> > >> _______________________________________________ > >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to > >> unsubscribe from this list > >> > >> bind-users mailing list > >> bind-users@lists.isc.org > >> https://lists.isc.org/mailman/listinfo/bind-users > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
