[prev in list] [next in list] [prev in thread] [next in thread]
List: unbound-users
Subject: Re: [Unbound-users] forward zone vs stub
From: Johan_Ihrén <johani () johani ! org>
Date: 2012-10-23 15:31:20
Message-ID: 8FECDFB4-322D-482B-B830-B292A3CB4F42 () johani ! org
[Download RAW message or body]
Hi Paul,
On Oct 23, 2012, at 17:07 , Paul Wouters wrote:
> On Tue, 23 Oct 2012, Johan Ihr=E9n wrote:
> =
> I agree with the below story line.....
> =
>> 1. Drop all your views. That's mostly a vendor lock-in that you don't ne=
ed these days.
>> =
>> 2. Run separate auth nameservers for the internal and external versions =
of the zone. Whether that's separate physical boxes or if you're just repla=
cing the views with separate virtual machines is up to you.
>> =
>> 3. Use "stub-zone:" to direct your recursive server to the internal vers=
ion of the zone (you're already doing this).
>> =
>> 4. [If needed] Use "forward-zone:" to arrange forwarding to the outside =
if your firewall requires that.
>> =
>> 5. If or when you do DNSSEC, use the same keys for both internal and ext=
ernal version of zone, and do validation in the recursive server; both vers=
ions of the zone will validate nicely, to the benefit of both external and =
internal users of your data.
>> =
>> Done.
> =
> You forgot to add that you need to load the trust anchor for the internal=
only
> zone loaded on the internal resolvers. This is assuming the internal
> zone is not visible in the external view. I guess if you leave an empty
> "internal" zone out in public, (with NS and DS) then you could
> potentially skip this part, but I have never tested that.
No, that's not needed. As long as you use the SAME keys (as I said) when si=
gning the internal and the external zones the signature chain from the publ=
ic root, via the DS in the external parent, to the internal signed zone (th=
at you find through the stub-zone: declaration) will work just fine. I've u=
sed that for years (after Wouter long ago fixed a bug for me to make it wor=
k).
You only need the trust anchor for root, nothing else, for validation of th=
e internal version of "example.com".
Umm, well, now I see what you actually wrote, "internal only zone". My assu=
mption (based on his example) was that the zones exist in a public version =
and an internal version, i.e. "example.com" does exist on the public side (=
as well as the internal side), and does have a DS. For zones that do not ex=
ist on the public side (like RFC1918 reverses, if you really need DNSSEC va=
lidation for them) your point is correct.
>> But now I really must get back to what I really should be doing today.
> =
> So say we all :)
And we all fail ;-)
Johan
_______________________________________________
Unbound-users mailing list
Unbound-users@unbound.net
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic