DNSSEC and forward zones

Lyle Giese lyle at lcrcomputer.net
Tue Nov 1 20:19:18 UTC 2011

On 11/1/2011 3:02 PM, Phil Mayers wrote:
> On 11/01/2011 06:34 PM, Scott Morizot wrote:
>> Alternatively, you can sign 'policydomain.internal' and configure its key
>> as one of the trust anchors on the validating name servers. The order of
>> validation is, if I recall correctly, locally configured trust anchors,
>> then chain of trust from root, and finally DLVs. So doing that should
>> provide a successful validation for the domain.
> So presumably you could also follow Lyle's suggestion - have a local
> "private" zone, signed, with a local trust anchor and an *in*secure
> delegation to "policydomain.internal"?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list

I would suggest not signing the .internal zone as a private zone and you 
will be done.  Then there is no DNSSEC records to mess with at all.

Again, this has a disadvantage if they ever decide to make .internal a 
real internet domain name and some people frown upon this practice.  Be 
sure you know what can go wrong.

Lyle Giese
LCR Computer Services, Inc.

More information about the bind-users mailing list