As some enterprise networks begin to engineer towards the concepts of ZeroTrust, one item caught me unaware: PM's asking for the DNSSEC signing of an internal zone.
Granted, it has long been considered unwise by DNS pro's with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda. While that extra overhead is true, it is more accurate to say that if internal clients are talking directly to an authoritative server the AD flag will not be set. You will only get the AA flag. So there is nothing to be gained from signing an internal zone. However, I have not tested it yet, I would assume that if a non-authoritative internal server was queried it would be able to walk the chain of trust and return AD. Thoughts? John
-- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users