DNSSEC basic information

Tony Finch dot at dotat.at
Tue Sep 24 19:00:46 UTC 2019


John W. Blue <john.blue at rrcic.com> wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.

I'm a relative newcomer having only done DNSSEC for about 10 years (so
I wasn't around until most of the design arguments were settled), but I
don't remember seeing anyone say it wasn't intended for internal zones.

There can be some awkward things that make it much harder than signing a
public zone, though:

  * if your internal DNS squats on a fake TLD

  * if someone says you can't use the same keys to sign internal and
    external views

  * RFC 1918 reverse DNS

It would be a lot less awkward if there were a good way to distribute
trust anchors for internal zones, but sadly there isn't.

> Additionally, if there is an obligation to validate zones internal to an
> organization that in of itself should be a really big red flag something
> is wrong with trust relationships.

That depends a lot on how tightly controlled your org is :-) In my fantasy
world the DNS would serve as a convenient PKI for bootstrapping trust; but
in the real world it's probably easier to boostrap off private x.509 trust
anchors or even ssh certificate auth, rather than DNSSEC, sadface.

> So the nuts and bolts of enabling DNSSEC increases zone data by 30 to
> 40%

More like a factor of 3.5x (number of records) or 10x (bytes of
presentation format zone file) based on the cam.ac.uk zone (43k
records before signing).

> not to mention the additional crypto load induced if there are
> frequent changes.

You need to be up in the thousands of updates per second before this is a
problem - see
https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019205.html

> If a split horizon is in use then internal zones typically have more
> records than external.

Yeah, private.cam.ac.uk has 350k records unsigned, but we're possibly
being silly about DHCP placeholder records :-)

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Dover, Wight, Portland, Plymouth, Biscay: West or southwest 5 to 7,
occasionally gale 8 except in Biscay. Moderate or rough in Dover and east
Wight, but elsewhere rough or very rough. Showers. Moderate or good.


More information about the bind-users mailing list