Grant Taylor wrote:
>
> What is your opinion on blindly grafting the sub-domain onto the parent zone
> without proper delegation.
Asking for trouble. We used to do that in the dim and distant past but
not any more because it's incompatible with DNSSEC.
> As I type this I wonder about delegating
On wrote:
> On 07/25/2018 05:18 AM, Tony Finch wrote:
>
>> I recommend having an empty public view of your private zone, so that
>> external queries succeed with NXDOMAIN / NODATA.
>>
>
> ACK.
>
> What is your opinion on blindly grafting the sub-domain onto the parent
> zone without proper delegat
On 07/25/2018 05:18 AM, Tony Finch wrote:
I recommend having an empty public view of your private zone, so that
external queries succeed with NXDOMAIN / NODATA.
ACK.
What is your opinion on blindly grafting the sub-domain onto the parent
zone without proper delegation. I.e. internal DNS serv
Grant Taylor wrote:
>
> Is there a best practice around this method of delegating to sub-domain(s)
> that are inaccessible to the public?
I recommend having an empty public view of your private zone, so that
external queries succeed with NXDOMAIN / NODATA. Returning REFUSED for a
private zone cau
Paul,
On 07/24/2018 10:10 AM, Paul Vixie wrote:
i also use real domains for my private stuff. but i also use RPZ locally
for the internal bindings,
Do you leverage anything like Dynamic DNS updates in conjunction with
DHCP? If so, how well does that play with the configuration that you're
u
On 07/24/2018 09:08 AM, Petr Špaček wrote:
I would recommend you to use subdomain of your public domain.
Agreed.
The alternative might be to use a different public domain.
Nice thing is that this approach doesn't require:
- views
- forwarding
- explicit trust anchor (if you want DNSSEC insid
On Tue, Jul 24, 2018 at 12:10 PM, Paul Vixie wrote:
>
>
>>
> i also use real domains for my private stuff. but i also use RPZ locally
> for the internal bindings, not NS RR delegations that i'd have to keep out
> of my externally-served zone files
I had forgotten our threat intelligence teams
Tim Wicinski wrote:
At my employer we use real domains, but do not expose them to the
outside world (they just see 127.0.0.1). It's a better than inverting
security through obscurity like I have seen elsewhere (not that you
would do that Andreas).
Paul, I am not with 100% love of the .al
Hi Andreas,
One problem with using non-unique namesapaces is that if you ever find yourself
needing to join your infrastructure to someone else's you run the risk of
collisions.
[This is an analogue to the problem at the IP layer with using RFC 1918
addresses -- if I'm already using 192.168.1
At my employer we use real domains, but do not expose them to the outside
world (they just see 127.0.0.1). It's a better than inverting security
through obscurity like I have seen elsewhere (not that you would do
that Andreas).
Paul, I am not with 100% love of the .alt name./idea but I do agre
Petr Špaček wrote:
>
> My operational experience indicates that it is easiest to just use
> "corp.example.com.", "office.example.com.", or even "i.example.com.".
We use private.cam.ac.uk.
> Nice thing is that this approach doesn't require:
> - views
We have an empty version of private.cam.ac.uk
i do not love the
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-alt-tld-10 draft,
but i would love even less to see it reinvented in our ignorance.
re:
Ted Lemon wrote:
It would probably be easier to get internal.arpa, similar to home.arpa.
You could use home.arpa now, but it would
It would probably be easier to get internal.arpa, similar to home.arpa.
You could use home.arpa now, but it would look a little funny... :)
On Tue, Jul 24, 2018 at 10:52 AM, A. Schulze wrote:
> Hello,
>
> some times ago there was an proposal (?) from Warren Kumari to define a
> zone "internal."
Hello,
On 24.7.2018 16:52, A. Schulze wrote:
> some times ago there was an proposal (?) from Warren Kumari to define a zone
> "internal." for internal use.
>
> We consider a major DNS redesign of a large enterprise network. Part of the
> network is private (RFC1918 address space in use)
> some
14 matches
Mail list logo
