We are looking into turning on DNSSEC for our domain, but the question came up about our internal DNS resolvers.
We do not publish internal addresses in our public Cloudflare DNS, but those records do exist in our internal DNS (as do copies of our public DNS records as well). So what happens when we added the DS record to our Registrar and turn on DNSSEC for our domain? Will DNSSEC aware clients using the internal resolvers now start failing, as the records returned will not validate? Or since these clients are being forced to use the internal DNS servers, will they just trust them? (That seems to defeat the purpose of DNSSEC.)
THANK YOU! This is a topic I have been meaning to ramble on about, but didnât have an excuse.
So letâs assume I have an internal DNS server on my LAN (I am going to assume AD integrated DNS, but BIND or $whatever will work the same).
For my internal users I will define my internal DNS nameservers to answer for this zone (because obviously external DNS cannot). So now⌠user A is on my LAN and asks for foo.example.com. His DHCP scope or DNS settings sent him to 192.0.2.1 (internal DNS server) for an answer. Since it is internal, that is effectively the ârootâ and there is not a DNSSEC signing key. So the name resolves.
On external DNS where that name does not exist, if the same user queries for foo.examople.com, DNSSEC will authoritatively say that DNS record does not exist (in public DNS) which for your scenario it does not.
Since you are running split brain / split horizon DNS in this manner the DNSSEC is also split.
To avoid TTL issues on/off the LAN and improve internal security Active Directory DNSSEC does support the signing algorithms needed in the latest versions AFAIK.
Also yes, if you can and you have overlapping DNS, you should sign records in both places and keep the TTL low (sub 600s) IMO. My opinion and $4 gets you a cuppa.
Split Horizon DNSSEC scares the pants off me. Have you seen it done successfully?
I think that any âleakageâ between the two sides is likely to result in difficult to troubleshoot issues. Or will the fact that stub resolvers donât generally do validation enough to mean that you only need to be sure that the internal resolvers get âgoodâ results, and everything else will be fine?
My current thinking is that if I ever have to setup a new internal network it will be a sub-domain like corp.example.com, and not split horizon. But internal networks are disappearing, and maybe itâs all just different shades of public from now on.