Tony, Thanks for the observations!
My comments about intent and zone data size is based upon information that was presented at Infoblox training classes I have attended. I would assume that Infoblox being Infoblox would be (mostly) accurate when it comes to developing a slide deck. However, context is everything. .local et al TLD's have forever been a burr under my saddle and I know that many on this list will see no objection to the use of them. But I kill em off every chance I get. John -----Original Message----- From: Tony Finch [mailto:d...@dotat.at] Sent: Tuesday, September 24, 2019 2:01 PM To: John W. Blue Cc: bind-us...@isc.org Subject: RE: DNSSEC basic information John W. Blue <john.b...@rrcic.com> wrote: > > Nothing prevents anyone from using DNSSEC internally but, as I > understand it, that was not the intent. I'm a relative newcomer having only done DNSSEC for about 10 years (so I wasn't around until most of the design arguments were settled), but I don't remember seeing anyone say it wasn't intended for internal zones. There can be some awkward things that make it much harder than signing a public zone, though: * if your internal DNS squats on a fake TLD * if someone says you can't use the same keys to sign internal and external views * RFC 1918 reverse DNS It would be a lot less awkward if there were a good way to distribute trust anchors for internal zones, but sadly there isn't. > Additionally, if there is an obligation to validate zones internal to > an organization that in of itself should be a really big red flag > something is wrong with trust relationships. That depends a lot on how tightly controlled your org is :-) In my fantasy world the DNS would serve as a convenient PKI for bootstrapping trust; but in the real world it's probably easier to boostrap off private x.509 trust anchors or even ssh certificate auth, rather than DNSSEC, sadface. > So the nuts and bolts of enabling DNSSEC increases zone data by 30 to > 40% More like a factor of 3.5x (number of records) or 10x (bytes of presentation format zone file) based on the cam.ac.uk zone (43k records before signing). > not to mention the additional crypto load induced if there are > frequent changes. You need to be up in the thousands of updates per second before this is a problem - see https://lists.dns-oarc.net/pipermail/dns-operations/2019-September/019205.html > If a split horizon is in use then internal zones typically have more > records than external. Yeah, private.cam.ac.uk has 350k records unsigned, but we're possibly being silly about DHCP placeholder records :-) Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Dover, Wight, Portland, Plymouth, Biscay: West or southwest 5 to 7, occasionally gale 8 except in Biscay. Moderate or rough in Dover and east Wight, but elsewhere rough or very rough. Showers. Moderate or good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users