[Opendnssec-user] signing dns views
Paul Wouters
paul at xelerance.com
Wed Oct 26 19:23:03 UTC 2011
On Wed, 26 Oct 2011, Scott Armitage wrote:
>> So, here's a third scenario. You could just setup an internal
>> zone (and wonder if it needs signing, when you can trust your
>> LAN) and specify in your resolvers (who probably are behind the
>> same perimeter) the secure entry point of your choice for the
>> internal view of the zone.
>>
>
> We have considered this but were thinking of using unbound for internal caching resolvers and would like to check the authenticity of records.
>
> I also wondered whether in future this wouldn't be a problem with continuous signing (depending on how it is implemented).
You can tell unbound about this DNSSEC secured "phantom" zone
stub-zone:
name:"internal.example.com."
stub-prime:"no"
stub-addr: 192.168.1.1
stub-addr: 192.168.1.2
Then you can add a trusted-key statement for internal.example.com.
unbound then knows that internal.example.com. does not exist in the "world view",
and it will override any DNSSEC proof that internal.example.com. does not exist,
and uses the local nameservers specified with the local key specified.
Paul
More information about the Opendnssec-user
mailing list