2011/8/9 Chris Buxton <chris.p.bux...@gmail.com>: > On Aug 9, 2011, at 10:07 AM, John Williams wrote: > >> --- On Tue, 8/9/11, Chris Buxton <chris.p.bux...@gmail.com> wrote: >> >>> With a private version of a domain, you should not need to >>> worry about a DS record in the parent. Just make sure your >>> internal caching servers not only can find the internal >>> version of your domain, but also can validate the signatures >>> therein, most likely using a trusted or managed key specific >>> to that internal domain. >>> >>> I'll not try to get into the specifics of using MS DNS for >>> this purpose because this is not the right forum. >>> >>> Regards, >>> Chris Buxton >>> BlueCat Networks >> >> Based on your response, I'm wondering how an application such as Exchange >> (SMTP, which clearly relies on DNS) will work in this model. Are there >> there any affects of the parent domain (.com, .net, whatever...) not having >> the DS records? for the domain? > > I don't follow your reasoning. > > For SMTP, the DNS-related operation is in looking up the MX and A/AAAA > records of other mail servers based on an outgoing message. If you're worried > about other mail servers finding your Exchange server, there are two cases: > > - External. My comments had nothing to do with external (Internet-facing) DNS > records. There, you would want to have DS records put into the parent zone to > be able to authenticate the link from parent to child. > > - Internal. If you're using MX records internally, you're either very large > or misguided. If you are large enough to warrant this, then your caching > servers should be able to follow your internal chain of trust, starting at a > private trust anchor. This is the point I was getting at. > > The use of internal, private namespace should be entirely transparent to any > service other than DNS. Your mail server should not need to know about it, > and should not be able to detect it (other than watching for private address > space and obviously-private domain names like "corp.dom").
As I understood from there - http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx - Chris' scenario should work. But I doubt that it is reasonable to use DNSSEC for internal domain and, moreover, with such limitations. > > Chris Buxton > BlueCat Networks > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- -- AP _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
