Hello, NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say mydomain.org) to the world. I've been approached by a customer with the request to include certain records into mydomain.org zone which will be resolvable only from their premises. I'm thinking to setup a pair of unbound instances, ask the customer to configure conditional forwarding for mydomain.org to those unbound instances, and serve requested records by unbound, while the rest of the zone will be handled by NSD. I think this will break DNSSEC for them -- do you think this is the right approach? Any ideas would be very much appreciated. Thank you.
Hi Roman, That can work if you configure Unbound with 'domain-insecure: "mydomain.org"' (courtesy of Wouter, please test, I'm not very knowledgeable when it comes to Unbound), but it will indeed break DNSSEC. To make DNSSEC work, you will have to sign the zone twice and host a second copy (NSD or Unbound auth-zone). BIND offers something called a view, but even then you will need actual separate zones. I cannot think of a more convenient to achieve what you want and keep DNSSEC intact, but others may have suggestions(?) - Jeroen On Fri, 2023-09-01 at 13:16 +0200, Roman Serbski via nsd-users wrote:> Hello, > > NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say > mydomain.org) to the world. > > I've been approached by a customer with the request to include > certain > records into mydomain.org zone which will be resolvable only from > their premises. > > I'm thinking to setup a pair of unbound instances, ask the customer > to > configure conditional forwarding for mydomain.org to those unbound > instances, and serve requested records by unbound, while the rest of > the zone will be handled by NSD. > > I think this will break DNSSEC for them -- do you think this is the > right approach?? Any ideas would be very much appreciated. > > Thank you. > _______________________________________________ > nsd-users mailing list > nsd-users at lists.nlnetlabs.nl > https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
On 2023-09-01 4:16, Roman Serbski via nsd-users wrote:> NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say > mydomain.org) to the world. > > I've been approached by a customer with the request to include certain > records into mydomain.org zone which will be resolvable only from > their premises. > > I'm thinking to setup a pair of unbound instances, ask the customer to > configure conditional forwarding for mydomain.org to those unbound > instances, and serve requested records by unbound, while the rest of > the zone will be handled by NSD. > > I think this will break DNSSEC for them -- do you think this is the > right approach? Any ideas would be very much appreciated.It will break DNSSEC. It's also a bad idea to only have some of the scopes signed. They should either be all signed, or none of them signed. To do DNSSEC with split-horizon, you need separate, individually-signed, per-scope zonefiles. It works, but cache cross-contamination is a radical podatric procedure waiting to happen. The BCP is to not use split-horizon with DNSSEC. Instead use routing tricks like anycast or local more-specifics, or put the private RRset under its own authoritative zone.