[dns-operations] Split DNS: DNSSEC outside and not inside
Edward Lewis
Ed.Lewis at neustar.biz
Wed Sep 3 14:48:29 UTC 2008
At 8:49 -0400 9/3/08, Olafur Gudmundsson wrote:
>Every time I see this I ask the same question
>"why is the internal naming the same as the external one when the
>contents is different?"
Let's say you have a host called
"code-repository.organization.example.", do not use NAT, and would
prefer that folks know the IP address of where you store your code
although the server does from time to time make TCP connections to
the outside world.
So you would have this:
outside
12.3.182.24.in-addr.arpa. 9600 IN PTR machine12.organization.example.
and inside
12.3.182.24.in-addr.arpa. 9600 IN PTR code-repository.organization.example.
That's one example. Theorists, protocol hounds, and implementers
would howl at most of the other examples I have because the examples
highlight embarrassing operations situations thrust upon the DNS.
Such as connecting a critical server to the inside and outside LANs
(straddling the organization's firewall boundary), which I know is
ludicrous but "that's the way it is/was" and "now (during an
emergency) is not the time to lecture on the ludicrousness of that
configuration." Yes, been there, did the operations, lived the world
of that vantage point.
>The way I recommend people to address this is to have an internal
>naming schema that is a delegation of the external one, e.g.
>inside.example.com with this all the DNSSEC issues about unsigned
>internal names disappear as the delegation to "inside" from example.com
>is provably insecure.
>
>The only complication is if there is an internal presence of the
>external services located on internal addresses. In that case the
>organization needs to have two copies if their zone signed with the SAME
>key one for the external world the other for the internal one.
The only complication to most recommended practices is the real
world. The problem is that the organization does not want two copies
of the zone signed with the same key. That's the freakin' point of
this thread, that's why I wanted to see a way to "cut off" DNSSEC
validation for inside zones.
--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
Edward Lewis +1-571-434-5468
NeuStar
Never confuse activity with progress. Activity pays more.
More information about the dns-operations
mailing list