BIND and DNSSEC

[Kobus Bensch]

Hi

Can anybody point me in the direction of a good guide on setting up BIND split horizon DNS and DNSSEC?

Thanks in advance

Kobus

--

[Feng He]

于 2012-10-31 23:05, Kobus Bensch 写道:

Can anybody point me in the direction of a good guide on setting up BIND split horizon DNS and DNSSEC?

Take a look at:
http://www.dnssec.lk/docs/DNSSEC_in_6_minutes.pdf

[Kobus Bensch]

Thank you for this. Had a look and it seems fairly easy. Not sure if that is a flippant remark. 

A question:  is implementing dnssec a good enough reason to abandon split horizon DNS?

Kobus 

Sent from my iPhone

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-...@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

[Alan Clegg]

On Nov 1, 2012, at 3:02 AM, Kobus Bensch <kbe...@fullnet.co.uk> wrote:

> Thank you for this. Had a look and it seems fairly easy. Not sure if that is a flippant remark.

As the author of this document, I must say thanks. Deploying DNSSEC is not hard.

It's the care and feeding after-the-fact (key rollover) that you must be extremely careful with.

> A question: is implementing dnssec a good enough reason to abandon split horizon DNS?

I'd find any excuse to abandon views/split-horizon.

AlanC
--
Alan Clegg | +1-919-355-8851 | al...@clegg.com

[Kobus Bensch]

Hi

Is that because split horizon doubles admin or because its bad all together?

I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.

Kobus

--
Fullnet Solutions Limited
7 Marlborough Close
Maidenhead
Berkshire
SL6 4LP
United Kingdom

Telephone: +44 (07703) 503 733

Kobus Bensch: kbe...@fullnet.co.uk

Information: in...@fullnet.co.uk

WWW: http://www.fullnet.co.uk

Registered in England & Wales.
Company Number: 3568937

VAT registration number: UK 714 7309 42

E & O.E. All prices exclude VAT & Carriage unless otherwise specified.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system administrator by emailing ad...@fullnet.co.uk with the subject "eMail Confidentiality Query!" .
The content of this email does not necessarily reflect the views or opinions of Fullnet Solutions Limited. If you have any queries or complaints please email in...@fullnet.co.uk with the subject "eMail Comment/Complaint Query!".
This footnote also confirms that this email message has been scanned for the presence of computer viruses. Fullnet Solutions Limited can however not be held responsible for any virus infections on the recipients or any other systems. For more information regarding the solutions Fullnet has to offer please email in...@fullnet.co.uk with the subject "Sales Query!".

[Alan Clegg]

On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbe...@fullnet.co.uk> wrote:

> Is that because split horizon doubles admin or because its bad all together?
>
> I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.

Crafted for a private reply, but being re-used here:

There are places that views/split-horizon fit the model that has been put into place. It does, however, break the "one-question, one-answer" concept that was foundational for DNS.

My recommendation is that for "internal" addressing, a separate zone be created that serves that address space. You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).

The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.

All the best,

[Tony Finch]

Feng He <fen...@nsbeta.info> wrote:
>
> Take a look at:
> http://www.dnssec.lk/docs/DNSSEC_in_6_minutes.pdf

I recommend using "auto-dnssec maintain" so named keeps the zone signed,
instead of dnssec-signzone.

Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

[Kobus Bensch]

Thanks. All makes sense and definitely something to think about in the new network design.

Also wanted to say, I did like the doc and will be using that, but as you say, will make particular note about the maintenance side of things.

Thanks

Kobus

----- Original Message -----
From: "Alan Clegg" <al...@clegg.com>
To: "Kobus Bensch" <kbe...@fullnet.co.uk>
Cc: bind-...@lists.isc.org
Sent: Thursday, 1 November, 2012 11:26:31 AM
Subject: Re: BIND and DNSSEC

[Alan Clegg]

On Nov 1, 2012, at 7:34 AM, Tony Finch <d...@dotat.at> wrote:

> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
> instead of dnssec-signzone.

I do as well, and this will be documented in the next version of this document.

[Alan Clegg]

[Alan Clegg]

[Alan Clegg]

[Alan Clegg]

[Jan-Piet Mens]

> I do as well, and this will be documented in the next version of this document.

I believe you've mentioned that here before. Several times. Today. ;-)

-JP

[Chris Thompson]

 "What I tell you three times is true.”

The Bellman, pp Lewis Carroll

--
Chris Thompson
Email: ce...@cam.ac.uk

[Sten Carlsen]

On 01/11/12 12:26, Alan Clegg wrote:

On Nov 1, 2012, at 7:14 AM, Kobus Bensch <kbe...@fullnet.co.uk> wrote:

Is that because split horizon doubles admin or because its bad all together?

I have been using split horizon for many years now and found it very useful. Any thoughts from any on the list would be most welcomed.

Crafted for a private reply, but being re-used here:

There are places that views/split-horizon fit the model that has been put into place.  It does, however, break the "one-question, one-answer" concept that was foundational for DNS.

My recommendation is that for "internal" addressing, a separate zone be created that serves that address space.  You gain a number of things from this, including easier debugging and better data security (no-longer are you concerned about exactly what clients are seeing at "www.internal.example.com" since you know that the only people able to resolve/route "internal.example.com" are the ones that should be able to).

I believe that thinking is no longer valid with laptops moving around. I assume you don't have enough public addresses to give everything its own address, I don't, my servers work through a NAT. They are behind NAT partly for lack of IPs and partly because I want to keep their other ports away from accidental exposure to script kiddies, I know more concerted efforts will do more harm.

The typical server setup (for own servers) is that one name is used for setting up e.g. the mail server, the ideal situation for everybody is that whether I am in house or visiting you, if I have any internet access, I can read and send mail.

Now if there is an internal zone with a different name, how will you set up the mail client? internal name is not accessible from outside and external name is not present in internal name space. -> two mail clients? changing setups when moving between networks?

My solution is to have the exactly same names internally and externally, any client SW will just ask for the same server but the IP will differ with the network segment.

IPv6 will change all that of course.

The problem lies in that over the years, people (usually the higher-ups) have been trained (by us, the in-the-trench guys) that "www.example.com" can be one thing internally and something else externally, or that their printer really _should_ be named myprinter.example.com and not myprinter.internal.example.com.

All the best,
AlanC

-- 
Best regards

Sten Carlsen

No improvements come from shouting:

       "MALE BOVINE MANURE!!!" 

[Alan Clegg]

On Nov 1, 2012, at 7:45 AM, Alan Clegg <al...@clegg.com> wrote:

>
> On Nov 1, 2012, at 7:34 AM, Tony Finch <d...@dotat.at> wrote:
>
>> I recommend using "auto-dnssec maintain" so named keeps the zone signed,
>> instead of dnssec-signzone.
>

> I do as well, and this will be documented in the next version of this document.

Sorry for the spammage. Bad failure mode of mail.app under OSX, it seems. :(

[Barry S. Finkel]

On 11/1/2012 3:31 PM, Sten Carlsen <st...@s-carlsen.dk> wrote:
> The typical server setup (for own servers) is that one name is used for
> setting up e.g. the mail server, the ideal situation for everybody is
> that whether I am in house or visiting you, if I have any internet
> access, I can read and send mail.
>
> Now if there is an internal zone with a different name, how will you set
> up the mail client? internal name is not accessible from outside and
> external name is not present in internal name space. -> two mail
> clients? changing setups when moving between networks?

In this case, either 1) you have one mail server at the external border
and one mail server internal, or 2) the same MX record in the external
and internal view. You can have a common records file that you
$INCLUDE in both views.
--Barry Finkel

[Sten Carlsen]

This will work for smtp service, I see a host of interesting issues with IMAP service. Two mail servers that must be synchronized within a minute, I don't think that is standard.

The simple solution (small scale) is to have one server, sitting internally or in DMZ, the internal address record points to the 192.168.x.x address and the external address record points to the public address of the router, which then has a virtual server set up for it. This works flawless, I never consider if I am in or out of the house.