<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<pre class="moz-signature" cols="72">
</pre>
<div class="moz-cite-prefix">On 01-Aug-22 12:15, John W. Blue wrote:<br>
</div>
<blockquote type="cite"
cite="mid:c7679bd81bcc4a6a901742b5a5a0484a@mail.rrcic.com">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style>@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri","sans-serif";}a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}span.EmailStyle17
{mso-style-type:personal-compose;
font-family:"Calibri","sans-serif";
color:windowtext;}.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri","sans-serif";}div.WordSection1
{page:WordSection1;}</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1"><o:p> </o:p>
<p class="MsoNormal">While that extra overhead is true, it is
more accurate to say that if internal clients are talking
directly to an authoritative server the AD flag will not be
set. You will only get the AA flag. So there is nothing to
be gained from signing an internal zone.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</blockquote>
<p>You can get the AD flag set, with a bit of extra work. I've done
this for years.</p>
<p>The question of whether the client resolver does/should trust the
AD flag is situation dependent.<br>
</p>
<p>Before your authoritative view, define a recursive view with the
internal zones defined as static-stub, match-recursive-only
"yes", and a server-address of localhost. In the authoritative
view, you can share the cache (attach-cache) with the recursive
view.<br>
</p>
<p>It's pretty straightforward to automate keeping the static-stub
list in sync - I keep it in a separate .conf file.</p>
<p>e.g. this outline (the order matters, views are selected
first-match)<br>
</p>
<p><code><span class="ListConfigToggleKey" title="Click to
expand/collapse view block">view</span></code><code>
"r-internal" in {</code><code><span class="ListConfigBlock
ListConfigFoldable" name="overkill-sb-litts-net-folddata-16"><span><span><br>
</span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-16"><span><span><span
class="ListConfigToggleKey" title="Click to
expand/collapse match-clients block"> match-clients</span>
{<span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-17"><span><span>...};<br>
</span></span></span></span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-16"><span><span>
match-recursive-only yes;<br>
</span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-16"><span><span>
recursion yes;<br>
-- standard config --<br>
};</span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-16"><span><span>/*
Included */</span></span></span></code><code><br>
</code><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-16"><span><span></span></span></span></code></p>
<p><code> </code><code><span class="ListConfigToggleKey"
title="Click to expand/collapse zone block">-- trusted-keys --<br>
<br>
zone</span></code><code> "example.net" in {</code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-369"><span><span><br>
type static-stub;<span class="ListConfigLineNumber"><br>
</span><span class="ListConfigToggleKey" title="Click to
expand/collapse server-addresses block">
server-addresses</span> {<span class="ListConfigBlock
ListConfigFoldable"
name="overkill-sb-litts-net-folddata-370"><span><span>
127.0.0.1; </span></span></span>}; <span
class="ListConfigLineNumber"><br>
</span></span></span></span></code><code> };</code></p>
<p><code>}:</code></p>
<p><code><span class="ListConfigToggleKey" title="Click to
expand/collapse view block">view</span></code><code>
"internal" in {</code><code><span class="ListConfigBlock
ListConfigFoldable" name="overkill-sb-litts-net-folddata-21"><span><span>
<br>
</span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span>
attach-cache "r-internal";<br>
</span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span>
recursion no;</span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span> ---
standard config --</span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span>/*
included */<br>
</span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span> zone
"example.net" in {<br>
</span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-85"><span><span>
auto-dnssec maintain;<br>
</span></span></span></span></span></span></code><code><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-85"><span><span>
type master;<br>
file ...;</span></span></span></span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-85"><span><span>
--standard config--<br>
};</span></span></span></span></span></span></code></p>
<p><code><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-85"><span><span></span></span></span></span></span></span></code><code>};</code></p>
<p><code>view "r-external" in { /* if you allow external recursion,
or use acls to fake external clients */<br>
</code></p>
<p><code>...</code></p>
<p><code>};</code></p>
<p><code>view "external" in {</code></p>
<p><code>...</code></p>
<p><code>};<br>
</code></p>
<p>A script along the lines of:<br>
</p>
<p><code>perl -e'while(<>){/^\s*zone/ && print $_,"
type static-stub;\n server-addresses { 127.0.0.1; }; \n};
\n"}' <internal_zones.conf >internal_stub_zones.conf</code><br>
</p>
<p>will generate the static-stub declarations.</p>
<p>Of course, depending on how you add/remove zones, YMMV.<br>
</p>
<pre class="moz-signature" cols="72">Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. </pre>
<p><br>
<span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span><span
class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-85"><span><span></span></span></span></span></span></span></p>
<p><span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span></span></span></span><br>
<span class="ListConfigBlock ListConfigFoldable"
name="overkill-sb-litts-net-folddata-21"><span><span></span></span></span></p>
<p><br>
</p>
</body>
</html>