04-02-2017 08:48 PM
I am looking for advice with the following scenario.
I'm using Grid Master(Stealth-Intranet) to Sign the zone (abc.com), secondary zone on external Authoritative (DMZ). I do have a validation server on the DMZ as well.
I have 2 ISP that will be performing zone transfer from my external Authoritative.
ISP A - Does support DNSSEC
ISP B - Does not Support DNSSEC
Scenario 1 - If client were to query ISP A for www.abc.com, it will be a signed query response.
Scenario 2 - what happen to client querying ISP B ?
- Does it still get the DNSSEC records ?
- Will it failed, having NXDomain returned ?
- Or it will get a normal reply with IP address, but not validated. ?
04-03-2017 12:40 PM
As soon as you have a DS RR in the parent zone (com. in your case), your child zone (abc) must be signed properly. If this is not the case, vaildation enabled dns resolvers will fail to validate the -abc- zone when they query the Nameserver of ISP 2 and even worse also cache the response.
As a result, the resolver will return a SERVFAIL message back to the client making abc litteraly invisible for all clients of that resolver. Because you normally don't know which ISP is being queried (shouldn't make a difference at all), you jeopardise the dns resolution of all your clients in a bad way.
The solution is quite simple, replace ISP 2 with an ISP who supports DNSSEC. Shouldn't be that difficult.