On 07/25/2018 05:18 AM, Tony Finch wrote:
I recommend having an empty public view of your private zone, so that external queries succeed with NXDOMAIN / NODATA.
ACK.What is your opinion on blindly grafting the sub-domain onto the parent zone without proper delegation. I.e. internal DNS server hosts internal.example.net and external DNS server returns NXDOMAIN for internal.example.net.
I have my doubts about this sort of scheme supporting DNSSEC. - I think it would be better to have a mostly empty zone that is properly delegated that re-use the same DNSSEC keys.
I might even go so far as to have the external server be a slave for a specific empty view transferred from the internal server. That way the keys stay internal.
Returning REFUSED for a private zone causes retries, and not responding at all causes even worse problems such as EDNS fallback attempts.
ACK
I haven't tried delegating to RFC1918 addresses, but that is likely to cause similar weirdness.
As I type this I wonder about delegating to RFC 1918 address via names in an NS record that are within delegated zone. Thus they would require glue records. Externally I'd omit the glue records. Internally I'd have the records within zone scope along with all the other zone data.
I suspect that this may cause odd retry issues too.It may leak some information, but I do think that the hard NXDOMAIN / NODATA is likely cleanest for the DNS protocol.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
