[dns-operations] Split DNS: DNSSEC outside and not inside

Mark Andrews Mark_Andrews at isc.org
Wed Sep 3 03:46:27 UTC 2008

> At 9:02 +1000 9/2/08, Mark Andrews wrote:
> >>  On Aug 30, 2008, at 11:25 PM, Edward Lewis wrote:
> >>
> >>  >
> >>  > The one problem with DNSSEC and split-DNS that has not been solved
> >>  > is "how does one deploy DNSSEC on the outside and not on the
> >>  > inside?" (A topic for another thread.)
> >>
> >>  I've changed the thread subject, are you willing to describe this use
> >>  case in more detail?
> >>
> >>
> >>  --Olaf
> >
> >	I suspect that is more about being able to specify that
> >	a zone is *not* secure in the validators configuration
> >	regardless of whether there is a DS in the parent or not.
> Well, Mark listed the suggested requirement I have in mind although 
> that is just one way to do it.  I also toyed with the notion of a 
> "null key" at the apex - saying "uh, never mind."  The difference is 
> one is a "control plane/configuration file" knob and the other is 
> in-data.

	You would have to touch the control plane to support a "null
	key" as the DS records from the parent won't match the "null

> The use case is this.  (Speaking in a hypothetical voice, 
> representing a previous employer's case.)  On an outside zone, I'll 
> have a few entries that are fairly static, like the public facing 
> servers of the org, the non-RFC 1918 stuff and all.  The inside zone 
> will be very dynamic, have updates from DHCP and from personal 
> computers configured to update the address data, include my RFC 1918 
> space, etc.  Because of the mayhem inside, and the different threat 
> model, I may decide (and have in the past) that is isn't worth 
> throwing in DNSSEC in to the internal mix.  As it is, the updates 
> from personal computers are not secured (because the key management 
> problem is too much for my staff to handle, slows things down, etc., 
> and a failure usually only hits the ones involved - plus mission 
> critical devices are configured in a way that is not vulnerable to a 
> "situation").
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis                                                +1-571-434-5468
> NeuStar
> Never confuse activity with progress.  Activity pays more.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the dns-operations mailing list