[Opendnssec-user] signing dns views

Scott Armitage S.P.Armitage at lboro.ac.uk
Wed Oct 26 15:09:58 UTC 2011

On 26 Oct 2011, at 15:48, Rick van Rein wrote:

Thanks for the quick response Rick.

> Hash: SHA1
> Hi Scott,
>> If I have a different view for external (from the Internet) queries, than for internal queries (from my own network), does anyone know if it is possible to sign different views with ods? 
> So, here's another scenario.  You would create two separate
> instances of OpenDNSSEC, each signing a version of the zone.
> They also create their own KSKs and roll them independently.
> Then, using the possibility to enter multiple DS's into the
> parent zone, you would simply add one for each in your parent.
> Be sure to use the exact same set of algorithms (probably just
> RSA-SHA1 and/or RSA-SHA256) on both zones, or else you will
> see failures -- for each algorithm there must be a valid trace
> from parent to child; even if you (i.c. BIND) don't check it,
> someone else (i.c. Unbound) will.

I might have a go at this, if only to test how feasible it is.

> The ugly bit of this is that everyone would see your internal
> zone's DS, assuming that you didn't split the parent as well :)

I don't think that would be too much of an issue.

> So, here's a third scenario.  You could just setup an internal
> zone (and wonder if it needs signing, when you can trust your
> LAN) and specify in your resolvers (who probably are behind the
> same perimeter) the secure entry point of your choice for the
> internal view of the zone.

We have considered this but were thinking of using unbound for internal caching resolvers and would like to check the authenticity of records.

I also wondered whether in future this wouldn't be a problem with continuous signing (depending on how it is implemented).



-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 203 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20111026/fbeb57db/attachment.bin>

More information about the Opendnssec-user mailing list