Re: DNSSEC and split DNS

2013-10-28 Thread David Newman
On 10/28/13 1:46 PM, Mark Andrews wrote: > In message <526eba87.7040...@networktest.com>, David Newman writes: >> >>> 3. Another internal nameserver gets intermittent dig +dnssec errors on >>> queries for internal resources. Sometimes after a restart, the result is >>> NOERROR and other times it's

Re: DNSSEC and split DNS

2013-10-28 Thread Mark Andrews
In message <526eba87.7040...@networktest.com>, David Newman writes: > > > 3. Another internal nameserver gets intermittent dig +dnssec errors on > > queries for internal resources. Sometimes after a restart, the result is > > NOERROR and other times it's NXDOMAIN or SERVFAIL. Inconsistant use of

Re: DNSSEC and split DNS

2013-10-28 Thread David Newman
On 10/25/13 6:11 PM, David Newman wrote: > > > On 10/23/13 5:20 PM, Mark Andrews wrote: >> In message <5268626c.8040...@networktest.com>, David Newman writes: >>> On 10/23/13 4:28 PM, Mark Andrews wrote: You sign all versions of the zone. As for key management you can: >

Re: DNSSEC and split DNS

2013-10-25 Thread David Newman
On 10/23/13 5:20 PM, Mark Andrews wrote: > In message <5268626c.8040...@networktest.com>, David Newman writes: >> On 10/23/13 4:28 PM, Mark Andrews wrote: >>> You sign all versions of the zone. >>> >>> As for key management you can: >>> >>> * use the same keys in all views which makes

Re: DNSSEC and split DNS

2013-10-23 Thread Mark Andrews
In message <5268626c.8040...@networktest.com>, David Newman writes: > On 10/23/13 4:28 PM, Mark Andrews wrote: > > You sign all versions of the zone. > > > > As for key management you can: > > > > * use the same keys in all views which makes mobile device > > management simpler

Re: DNSSEC and split DNS

2013-10-23 Thread Mark Andrews
In message <526857a2.8050...@networktest.com>, David Newman writes: > On the surface, split DNS and DNSSEC have seemingly opposite goals: One > seeks to provide different responses to queries for the same resource, > and the other seeks to prevent it. DNSSEC seeks to prevent *other parties* from

Re: DNSSEC and split DNS

2013-10-23 Thread David Newman
On 10/23/13 4:28 PM, Mark Andrews wrote: > You sign all versions of the zone. > > As for key management you can: > > * use the same keys in all views which makes mobile device > management simpler as there is no need to distribute keys. > Validating from the root

Re: DNSSEC and split DNS

2013-10-23 Thread Mark Andrews
You sign all versions of the zone. As for key management you can: * use the same keys in all views which makes mobile device management simpler as there is no need to distribute keys. Validating from the root will work in all cases though the