[dns-operations] Split DNS: DNSSEC outside and not inside
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 3 03:46:27 UTC 2008
> At 9:02 +1000 9/2/08, Mark Andrews wrote:
> >> On Aug 30, 2008, at 11:25 PM, Edward Lewis wrote:
> >>
> >> >
> >> > The one problem with DNSSEC and split-DNS that has not been solved
> >> > is "how does one deploy DNSSEC on the outside and not on the
> >> > inside?" (A topic for another thread.)
> >>
> >> I've changed the thread subject, are you willing to describe this use
> >> case in more detail?
> >>
> >>
> >> --Olaf
> >
> > I suspect that is more about being able to specify that
> > a zone is *not* secure in the validators configuration
> > regardless of whether there is a DS in the parent or not.
>
> Well, Mark listed the suggested requirement I have in mind although
> that is just one way to do it. I also toyed with the notion of a
> "null key" at the apex - saying "uh, never mind." The difference is
> one is a "control plane/configuration file" knob and the other is
> in-data.
You would have to touch the control plane to support a "null
key" as the DS records from the parent won't match the "null
key".
Mark
> The use case is this. (Speaking in a hypothetical voice,
> representing a previous employer's case.) On an outside zone, I'll
> have a few entries that are fairly static, like the public facing
> servers of the org, the non-RFC 1918 stuff and all. The inside zone
> will be very dynamic, have updates from DHCP and from personal
> computers configured to update the address data, include my RFC 1918
> space, etc. Because of the mayhem inside, and the different threat
> model, I may decide (and have in the past) that is isn't worth
> throwing in DNSSEC in to the internal mix. As it is, the updates
> from personal computers are not secured (because the key management
> problem is too much for my staff to handle, slows things down, etc.,
> and a failure usually only hits the ones involved - plus mission
> critical devices are configured in a way that is not vulnerable to a
> "situation").
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> Edward Lewis +1-571-434-5468
> NeuStar
>
> Never confuse activity with progress. Activity pays more.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the dns-operations
mailing list