On 01. 08. 22 18:15, John W. Blue via bind-users wrote:
As some enterprise networks begin to engineer towards the concepts of
ZeroTrust, one item caught me unaware: PM’s asking for the DNSSEC
signing of an internal zone.
Granted, it has long been considered unwise by DNS pro’s with a commonly
stated reason that it increasing the size of the zone yadda, yadda, yadda.
While that extra overhead is true, it is more accurate to say that if
internal clients are talking directly to an authoritative server the AD
flag will not be set. You will only get the AA flag. So there is
nothing to be gained from signing an internal zone.
However, I have not tested it yet, I would assume that if a
non-authoritative internal server was queried it would be able to walk
the chain of trust and return AD.
Thoughts?
I think it's worth reading
https://datatracker.ietf.org/doc/html/draft-krishnaswamy-dnsop-dnssec-split-view
Keep in mind it is 15 years old, but it will give you an idea about
various points of view.
--
Petr Špaček
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
[email protected]
https://lists.isc.org/mailman/listinfo/bind-users
