And that is my point .. show me your +dnssec dig against an internal authoritative server that has AD set.
John -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of Grant Taylor via bind-users Sent: Monday, August 1, 2022 11:29 AM To: bind-users@lists.isc.org Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??) On 8/1/22 10:15 AM, John W. Blue via bind-users wrote: > While that extra overhead is true, it is more accurate to say that if > internal clients are talking directly to an authoritative server the > AD flag will not be set. You will only get the AA flag. So there is > nothing to be gained from signing an internal zone. I feel like that's an unacceptably big if. It also precludes clients from doing client side DNSSEC validation. Finally, why hold internal systems to a lower security standard than external systems? -- Grant. . . . unix || die -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users