Re: DNSSEC signing of an internal zone gains nothing (unless??)

Mon, 01 Aug 2022 11:13:16 -0700 

Hmmm - might be saying the wrong thing but...
.SE was DNSSEC Signed waaay before the root, so if living in Sweden, one would prep your DNSSEC aware resolver with the DS Key of the .SE Zone. DNSSEC then worked for .SE domains. Perhaps do the same? 


I do get confused further down in this email when one says you'll get 
back an "AA" flag in the answer. That will only happen if you ask the 
Authoritative Server for the domain you are looking in. That shouldn't 
be a Recursive server. It is terribly bad practice to have a BIND server 
running in both Authoritative and Recursive mode at the same time - 
should be two separate instances of BIND.


On 8/1/22 7:51 PM, John W. Blue via bind-users wrote:

Also do not disagree.

However, the intent of the thread is to talk about the lack of an AD flag from 
a non-public internal authoritative server.  Based upon what I am seeing only 
the AA flag is set.

John

-----Original Message-----
From: John Franklin [mailto:frank...@sentaidigital.com]
Sent: Monday, August 1, 2022 12:45 PM
To: John W. Blue
Cc: bind-users@lists.isc.org
Subject: Re: DNSSEC signing of an internal zone gains nothing (unless??)

On Aug 1, 2022, at 12:15, John W. Blue via bind-users 
<bind-users@lists.isc.org> wrote:

As some enterprise networks begin to engineer towards the concepts of 
ZeroTrust, one item caught me unaware:  PM’s asking for the DNSSEC signing of 
an internal zone.

  
Granted, it has long been considered unwise by DNS pro’s with a commonly stated reason that it increasing the size of the zone yadda, yadda, yadda.

  [snip]
Thoughts?

DNSSEC enables use of certain security RRs, such as SSHA and TLSA, which can be 
used as part of a zero trust solution in DevOps pipelines.  It’s also good 
practice managing DNSSEC before deploying it in public production sites.

jf

--

Mark James ELKINS  -  Posix Systems - (South) Africa
m...@posix.co.za       Tel: +27.826010496 <tel:+27826010496>

For fast, reliable, low cost Internet in ZA: https://ftth.posix.co.za 
<https://ftth.posix.co.za>






Attachment:
OpenPGP_0xB6FA15470B82C101.asc

Description: application/pgp-keys



Attachment:
OpenPGP_signature

Description: OpenPGP digital signature


-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users






















					Reply via email to