Anne, Nothing prevents anyone from using DNSSEC internally but, as I understand it, that was not the intent. Additionally, if there is an obligation to validate zones internal to an organization that in of itself should be a really big red flag something is wrong with trust relationships.
So the nuts and bolts of enabling DNSSEC increases zone data by 30 to 40% not to mention the additional crypto load induced if there are frequent changes. If a split horizon is in use then internal zones typically have more records than external. On a zone that has a handful of records and very low QPS then a signed internal zone a non-issue. As with everything, when you scale up unintended consequences of choices made tend to kick in. John -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Anne Bennett Sent: Tuesday, September 24, 2019 12:46 PM To: bind-us...@isc.org Subject: Re: DNSSEC basic information Evan Hunt answers Jukka Pakkanen: > In newer releases there's also a configuration option, > "validate-except", which permanently disables validation below > specified domains. This can be used, for example, if you have an > internal network using a fake TLD and you want to prevent it from showing up > as bogus. ... and in a separate message, John W. Blue wrote: > 1. DNSSEC was designed for external zones I have a case where I recently had to use "validate-except" because of a domain (not mine) whose external view is signed but not the internal view; my resolver gets the internal view for that zone. Can someone enlighten me as to why "DNSSEC was designed for external zones", and under what circumstances it makes sense to *not* sign an internal view? It seems to me that it would be most consistent to sign both external and internal views. Anne. -- Ms. Anne Bennett, Senior Sysadmin, ENCS, Concordia University, Montreal H3G 1M8 a...@encs.concordia.ca +1 514 848-2424 x2285 _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
