[nsd-users] Split-horizon question
list_nsd at bluerosetech.com
list_nsd at bluerosetech.com
Tue Sep 5 05:54:57 UTC 2023
On 2023-09-01 4:16, Roman Serbski via nsd-users wrote:
> NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say
> mydomain.org) to the world.
>
> I've been approached by a customer with the request to include certain
> records into mydomain.org zone which will be resolvable only from
> their premises.
>
> I'm thinking to setup a pair of unbound instances, ask the customer to
> configure conditional forwarding for mydomain.org to those unbound
> instances, and serve requested records by unbound, while the rest of
> the zone will be handled by NSD.
>
> I think this will break DNSSEC for them -- do you think this is the
> right approach? Any ideas would be very much appreciated.
It will break DNSSEC. It's also a bad idea to only have some of the
scopes signed. They should either be all signed, or none of them signed.
To do DNSSEC with split-horizon, you need separate, individually-signed,
per-scope zonefiles. It works, but cache cross-contamination is a
radical podatric procedure waiting to happen.
The BCP is to not use split-horizon with DNSSEC. Instead use routing
tricks like anycast or local more-specifics, or put the private RRset
under its own authoritative zone.
More information about the nsd-users
mailing list