DNSSEC and split DNS

Mark Andrews marka at isc.org
Wed Oct 23 23:28:57 UTC 2013

	You sign all versions of the zone.

	As for key management you can:

	* use the same keys in all views which makes mobile device
	  management simpler as there is no need to distribute keys.
	  Validating from the root will work in all cases though
	  there is still something to be said for distributing keys
	  for local zones locally as this prevents resolution
	  failures when the site is disconnected from the rest of
	  the world.

	* different keys per view.  You will need to distribute the
	  keys and for mobile devices they will need all sets of
	  keys as they see both the internal and external views
	  depending apon where they attach to the network and whether
	  there is a VPN active.  For fixed devices different keys
	  will cause data leakage to be rejected as the leaked data
	  won't validate.

	You can change strategy if you pick the wrong one.


In message <526857A2.8050405 at networktest.com>, David Newman writes:
> What is the recommended practice for adding DNSSEC to an environment
> that currently uses split DNS?
> Apologies as I'm sure this has come up before, but most discussion I
> found on bind-users was from 1999, and this isn't covered in the ARM.
> I did find this draft (not RFC) from 2007, but even the author
> acknowledges that some examples given can invite misconfiguration:
> http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04
> On the surface, split DNS and DNSSEC have seemingly opposite goals: One
> seeks to provide different responses to queries for the same resource,
> and the other seeks to prevent it.
> Is there some way of reconciling these?
> Thanks
> dn
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list