On 04-07-12 16:39, Casper Gielen wrote:
Oh, that is quite a show-stopper. Can anybody confirm that this is not possible?
Does anybody have an idea for a workaround on how to use OpenDNSSEC in a
scenario with split horizon DNS?
Confirmed, OpenDNSSEC is not compatible with split-dns.
ODS uses the name of the zone as an identifier. Two zones with the same
name are not possible. I've not found a work-around other then running
two copies of ODS.
However, realistically speaking, split-dns with dnssec is only of
limited utillity. Split-dns is typically used to serve a different zone
to 'internal' users that are on the same network as the DNS-server. Most
often there is no seperate resolver involved. Even if there is a
seperate resolver, the traffic between the client and the resolver is
not secured.
My own reason for wanting to use split-dns in combination with DNSSEC is
to keep my system simple. I don't want to treat the internal and
external zones seperatly. I don't care about signing the internal zone,
I just don't like making exceptions.
I've been told that ODS2 will contain support for split-dns and for
unsigned zones.
--
Casper Gielen <[email protected]> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981 63B8 2214 083C F80E 4AF7
Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
