Reply

DNSSEC

scripy
Techie
Posts: 1
1902     0

Hi Guys, 

 

I am looking for advice with the following scenario. 

 

I'm using Grid Master(Stealth-Intranet) to Sign the zone (abc.com), secondary zone on external Authoritative (DMZ). I do have a validation server on the DMZ as well. 

 

I have 2 ISP  that will be performing zone transfer from my external Authoritative. 

 

ISP A - Does support DNSSEC

ISP B - Does not Support DNSSEC

 

Scenario 1 - If client were to query ISP A for www.abc.com, it will be a signed query response. 

Scenario 2 - what happen to client querying ISP B ? 

- Does it still get the DNSSEC records ?

- Will it failed, having NXDomain returned ?

- Or it will get a normal reply with IP address, but not validated. ?

Highlighted

Re: DNSSEC

Expert
Posts: 42
1902     0

As soon as you have a DS RR in the parent zone (com. in your case), your child zone (abc) must be signed properly. If this is not the case, vaildation enabled dns resolvers will fail to validate the -abc- zone when they query the Nameserver of ISP 2 and even worse also cache the response.

As a result, the resolver will return a SERVFAIL message back to the client making abc litteraly invisible for all clients of that resolver. Because you normally don't know which ISP is being queried (shouldn't make a difference at all), you jeopardise the dns resolution of all your clients in a bad way.

 

The solution is quite simple, replace ISP 2 with an ISP who supports DNSSEC. Shouldn't be that difficult.

 

Cheers

Showing results for 
Search instead for 
Do you mean 

Recommended for You