[dns-operations] Split DNS: DNSSEC outside and not inside

Edward Lewis Ed.Lewis at neustar.biz
Wed Sep 3 14:48:29 UTC 2008 

At 8:49 -0400 9/3/08, Olafur Gudmundsson wrote:

>Every time I see this I ask the same question
>"why is the internal naming the same as the external one when the
>contents is different?"

Let's say you have a host called 
"code-repository.organization.example.", do not use NAT, and would 
prefer that folks know the IP address of where you store your code 
although the server does from time to time make TCP connections to 
the outside world.

So you would have this:

outside

12.3.182.24.in-addr.arpa.  9600 IN  PTR   machine12.organization.example.

and inside

12.3.182.24.in-addr.arpa.  9600 IN  PTR   code-repository.organization.example.

That's one example.  Theorists, protocol hounds, and implementers 
would howl at most of the other examples I have because the examples 
highlight embarrassing operations situations thrust upon the DNS. 
Such as connecting a critical server to the inside and outside LANs 
(straddling the organization's firewall boundary), which I know is 
ludicrous but "that's the way it is/was" and "now (during an 
emergency) is not the time to lecture on the ludicrousness of that 
configuration."  Yes, been there, did the operations, lived the world 
of that vantage point.

>The way I recommend people to address this is to have an internal
>naming schema that is a delegation of the external one, e.g.
>inside.example.com with this all the DNSSEC issues about unsigned
>internal names disappear as the delegation to "inside" from example.com
>is provably insecure.
>
>The only complication is if there is an internal presence of the
>external services located on internal addresses. In that case the
>organization needs to have two copies if their zone signed with the SAME
>key one for the external world the other for the internal one.

The only complication to most recommended practices is the real 
world. The problem is that the organization does not want two copies 
of the zone signed with the same key.  That's the freakin' point of 
this thread, that's why I wanted to see a way to "cut off" DNSSEC 
validation for inside zones.
-- 
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis                                                +1-571-434-5468
NeuStar

Never confuse activity with progress.  Activity pays more.

More information about the dns-operations mailing list