DNSSEC basic information
Tony Finch
dot at dotat.at
Tue Sep 24 19:00:46 UTC 2019
John W. Blue <john.blue at rrcic.com> wrote:
>
> Nothing prevents anyone from using DNSSEC internally but, as I
> understand it, that was not the intent.
I'm a relative newcomer having only done DNSSEC for about 10 years (so
I wasn't around until most of the design arguments were settled), but I
don't remember seeing anyone say it wasn't intended for internal zones.
There can be some awkward things that make it much harder than signing a
public zone, though:
* if your internal DNS squats on a fake TLD
* if someone says you can't use the same keys to sign internal and
external views
* RFC 1918 reverse DNS
It would be a lot less awkward if there were a good way to distribute
trust anchors for internal zones, but sadly there isn't.
> Additionally, if there is an obligation to validate zones internal to an
> organization that in of itself should be a really big red flag something
> is wrong with trust relationships.
That depends a lot on how tightly controlled your org is :-) In my fantasy
world the DNS would serve as a convenient PKI for bootstrapping trust; but
in the real world it's probably easier to boostrap off private x.509 trust
anchors or even ssh certificate auth, rather than DNSSEC, sadface.
> So the nuts and bolts of enabling DNSSEC increases zone data by 30 to
> 40%
More like a factor of 3.5x (number of records) or 10x (bytes of
presentation format zone file) based on the cam.ac.uk zone (43k
records before signing).
> not to mention the additional crypto load induced if there are
> frequent changes.
You need to be up in the thousands of updates per second before this is a
problem - see
https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019205.html
> If a split horizon is in use then internal zones typically have more
> records than external.
Yeah, private.cam.ac.uk has 350k records unsigned, but we're possibly
being silly about DHCP placeholder records :-)
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
Dover, Wight, Portland, Plymouth, Biscay: West or southwest 5 to 7,
occasionally gale 8 except in Biscay. Moderate or rough in Dover and east
Wight, but elsewhere rough or very rough. Showers. Moderate or good.
More information about the bind-users
mailing list