DNSSEC and split DNS

David Newman dnewman at networktest.com
Wed Oct 23 23:11:30 UTC 2013

What is the recommended practice for adding DNSSEC to an environment
that currently uses split DNS?

Apologies as I'm sure this has come up before, but most discussion I
found on bind-users was from 1999, and this isn't covered in the ARM.

I did find this draft (not RFC) from 2007, but even the author
acknowledges that some examples given can invite misconfiguration:


On the surface, split DNS and DNSSEC have seemingly opposite goals: One
seeks to provide different responses to queries for the same resource,
and the other seeks to prevent it.

Is there some way of reconciling these?



More information about the bind-users mailing list