DNSSEC and forward zones
lyle at lcrcomputer.net
Tue Nov 1 20:19:18 UTC 2011
On 11/1/2011 3:02 PM, Phil Mayers wrote:
> On 11/01/2011 06:34 PM, Scott Morizot wrote:
>> Alternatively, you can sign 'policydomain.internal' and configure its key
>> as one of the trust anchors on the validating name servers. The order of
>> validation is, if I recall correctly, locally configured trust anchors,
>> then chain of trust from root, and finally DLVs. So doing that should
>> provide a successful validation for the domain.
> So presumably you could also follow Lyle's suggestion - have a local
> "private" zone, signed, with a local trust anchor and an *in*secure
> delegation to "policydomain.internal"?
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
I would suggest not signing the .internal zone as a private zone and you
will be done. Then there is no DNSSEC records to mess with at all.
Again, this has a disadvantage if they ever decide to make .internal a
real internet domain name and some people frown upon this practice. Be
sure you know what can go wrong.
LCR Computer Services, Inc.
More information about the bind-users