DNSSEC and split DNS

Mark Andrews marka at isc.org
Thu Oct 24 00:20:23 UTC 2013 

In message <5268626C.8040603 at networktest.com>, David Newman writes:
> On 10/23/13 4:28 PM, Mark Andrews wrote:
> > 	You sign all versions of the zone.
> > 
> > 	As for key management you can:
> > 
> > 	* use the same keys in all views which makes mobile device
> > 	  management simpler as there is no need to distribute keys.
> > 	  Validating from the root will work in all cases though
> > 	  there is still something to be said for distributing keys
> > 	  for local zones locally as this prevents resolution
> > 	  failures when the site is disconnected from the rest of
> > 	  the world.
> > 
> > 	* different keys per view.  You will need to distribute the
> > 	  keys and for mobile devices they will need all sets of
> > 	  keys as they see both the internal and external views
> > 	  depending apon where they attach to the network and whether
> > 	  there is a VPN active.  For fixed devices different keys
> > 	  will cause data leakage to be rejected as the leaked data
> > 	  won't validate.
> > 
> > 	You can change strategy if you pick the wrong one.
> 
> Thanks, makes sense.
> 
> What about delegation? Right now, there is none between external zones
> and internal forward zones using RFC 1918 addresses.
> 
> I *think* option 1 would require, for example, example.org's zone to
> include delegation and glue records for internal.example.org to keep the
> chain of trust intact.
>
> And I *think* option 2 in theory could be set up as an island of trust,
> with no delegation from parent domains.

You can
* add the delegation for internal.example.org to example.org
  and make it visible to the world with a appropriate acl on
  internal.example.org.
* have two version of example.org, one with and one without the
  delegation for internal.example.org.
* you can add a trust anchor for internal.example.org.

As more validation takes place in applications the first two
will be easier to mangage.

> True?
> 
> Thanks again
> 
> dn
> 
> > 
> > 	Mark
> > 
> > In message <526857A2.8050405 at networktest.com>, David Newman writes:
> >> What is the recommended practice for adding DNSSEC to an environment
> >> that currently uses split DNS?
> >>
> >> Apologies as I'm sure this has come up before, but most discussion I
> >> found on bind-users was from 1999, and this isn't covered in the ARM.
> >>
> >> I did find this draft (not RFC) from 2007, but even the author
> >> acknowledges that some examples given can invite misconfiguration:
> >>
> >> http://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04
> >>
> >> On the surface, split DNS and DNSSEC have seemingly opposite goals: One
> >> seeks to provide different responses to queries for the same resource,
> >> and the other seeks to prevent it.
> >>
> >> Is there some way of reconciling these?
> >>
> >> Thanks
> >>
> >> dn
> >>
> >> _______________________________________________
> >> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> >>
> >> bind-users mailing list
> >> bind-users at lists.isc.org
> >> https://lists.isc.org/mailman/listinfo/bind-users
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list