Posts: 1
3174     0

Hi Guys, 


I am looking for advice with the following scenario. 


I'm using Grid Master(Stealth-Intranet) to Sign the zone (, secondary zone on external Authoritative (DMZ). I do have a validation server on the DMZ as well. 


I have 2 ISP  that will be performing zone transfer from my external Authoritative. 


ISP A - Does support DNSSEC

ISP B - Does not Support DNSSEC


Scenario 1 - If client were to query ISP A for, it will be a signed query response. 

Scenario 2 - what happen to client querying ISP B ? 

- Does it still get the DNSSEC records ?

- Will it failed, having NXDomain returned ?

- Or it will get a normal reply with IP address, but not validated. ?


Posts: 46
3175     0

As soon as you have a DS RR in the parent zone (com. in your case), your child zone (abc) must be signed properly. If this is not the case, vaildation enabled dns resolvers will fail to validate the -abc- zone when they query the Nameserver of ISP 2 and even worse also cache the response.

As a result, the resolver will return a SERVFAIL message back to the client making abc litteraly invisible for all clients of that resolver. Because you normally don't know which ISP is being queried (shouldn't make a difference at all), you jeopardise the dns resolution of all your clients in a bad way.


The solution is quite simple, replace ISP 2 with an ISP who supports DNSSEC. Shouldn't be that difficult.



Showing results for 
Search instead for 
Did you mean: 

Recommended for You