[Opendnssec-user] signing dns views
Scott Armitage
S.P.Armitage at lboro.ac.uk
Wed Oct 26 15:09:58 UTC 2011
On 26 Oct 2011, at 15:48, Rick van Rein wrote:
Thanks for the quick response Rick.
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi Scott,
>
>> If I have a different view for external (from the Internet) queries, than for internal queries (from my own network), does anyone know if it is possible to sign different views with ods?
>
> So, here's another scenario. You would create two separate
> instances of OpenDNSSEC, each signing a version of the zone.
> They also create their own KSKs and roll them independently.
> Then, using the possibility to enter multiple DS's into the
> parent zone, you would simply add one for each in your parent.
>
> Be sure to use the exact same set of algorithms (probably just
> RSA-SHA1 and/or RSA-SHA256) on both zones, or else you will
> see failures -- for each algorithm there must be a valid trace
> from parent to child; even if you (i.c. BIND) don't check it,
> someone else (i.c. Unbound) will.
>
I might have a go at this, if only to test how feasible it is.
> The ugly bit of this is that everyone would see your internal
> zone's DS, assuming that you didn't split the parent as well :)
>
I don't think that would be too much of an issue.
>
> So, here's a third scenario. You could just setup an internal
> zone (and wonder if it needs signing, when you can trust your
> LAN) and specify in your resolvers (who probably are behind the
> same perimeter) the secure entry point of your choice for the
> internal view of the zone.
>
We have considered this but were thinking of using unbound for internal caching resolvers and would like to check the authenticity of records.
I also wondered whether in future this wouldn't be a problem with continuous signing (depending on how it is implemented).
Thanks
Scott
-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 203 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111026/fbeb57db/attachment.bin>
More information about the Opendnssec-user
mailing list