Overwrite A record from DNSSEC protected domain if I am the owner of the domain

Matus UHLAR - fantomas uhlar at fantomas.sk
Wed Apr 26 17:36:48 UTC 2017 

On 26.04.17 18:36, Matthias Fechner wrote:
>I have a domain fechner.net which is protected using DNSSEC.
>
>The zone is managed on a server located in a data center.
>
>Some A records are pointing to a computer that has a low speed 
>internet connection on the WAN site, but very fast connection on the 
>LAN site.
>
>If I know located in this LAN and I resolve the hostname (in this LAN 
>also bind9.10 is running), I will get the IP of the WAN connection 
>and the traffic is flowing out of the interface where the standard 
>gateway is defined, goes to the provider and is coming back over a 
>tunnel using the WAN connection. I can explain it more in detail, but 
>the routing should not be important for the question I have.

routing iw one of ways to avoid your issue.
7
>Now I would like to overwrite some of the A records from my zone (I 
>have full access to public and private key for DNSSEC).
>Some CNAMEs will point to this A record, so I have to change only the 
>IP from the A record, all other CNAMEs can be handled by the offical 
>bind that it reachable on the internet.
>
>Normally I would use RPZ to handle this, but it seems that this will 
>not work if the A record is using DNSSEC (at least the manual says 
>that it will not rewrite the A record if DNSSEC is used to protect 
>the A record).
>
>So what I would like to have:
>- if I resolve from external it should reolve to the official IP that 
>is reachable from the internet
>- if I resolve from my local LAN it should return the internal IP 
>like 192.168.0.1, that is only reachable from the LAN

this can be done using small resolver in the LAN that resolves the name to
internal IP. Should be no problem unless your end-resolvers check DNSSEC

-- 
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
99 percent of lawyers give the rest a bad name.

More information about the bind-users mailing list