What you are describing more generally sounds like what is known as split-view or split-horizon DNS. In short, you split all (or part by virtue of delegation or forwarders) of your namespace into “internal” and “external” partitions; this is documented in the context of BIND here: https://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html#split_dns
Best practices for DNSSEC under split-view vary, but several approaches along with their strengths and weakness are documented in this RFC draft: https://tools.ietf.org/html/draft-krishnaswamy-dnsop-dnssec-split-view-04 We have been using 4.1.2 in production for the last year or so… it works very well, but as the draft suggests there is a high overhead in the management of the keys, zones, and views, especially if you have a large namespace. 4.1.5 may be an easier option if you are a small shop and trust your internal networks. Cheers, Mathew Eis Northern Arizona University Information Technology Services -----Original Message----- From: bind-users <bind-users-boun...@lists.isc.org> on behalf of Matthias Fechner <ide...@fechner.net> Date: Wednesday, April 26, 2017 at 9:36 AM To: "bind-users@lists.isc.org" <bind-users@lists.isc.org> Subject: Overwrite A record from DNSSEC protected domain if I am the owner of the domain Dear all, I have a domain fechner.net which is protected using DNSSEC. The zone is managed on a server located in a data center. Some A records are pointing to a computer that has a low speed internet connection on the WAN site, but very fast connection on the LAN site. If I know located in this LAN and I resolve the hostname (in this LAN also bind9.10 is running), I will get the IP of the WAN connection and the traffic is flowing out of the interface where the standard gateway is defined, goes to the provider and is coming back over a tunnel using the WAN connection. I can explain it more in detail, but the routing should not be important for the question I have. Now I would like to overwrite some of the A records from my zone (I have full access to public and private key for DNSSEC). Some CNAMEs will point to this A record, so I have to change only the IP from the A record, all other CNAMEs can be handled by the offical bind that it reachable on the internet. Normally I would use RPZ to handle this, but it seems that this will not work if the A record is using DNSSEC (at least the manual says that it will not rewrite the A record if DNSSEC is used to protect the A record). So what I would like to have: - if I resolve from external it should reolve to the official IP that is reachable from the internet - if I resolve from my local LAN it should return the internal IP like 192.168.0.1, that is only reachable from the LAN What is the suggested (best practise) approach to handle such a case with bind 9.10? Thanks a lot. Gruß Matthias -- "Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the universe trying to produce bigger and better idiots. So far, the universe is winning." -- Rich Cook _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users