Validation and internal only zones and DS record issue

ietf-wg-dnsop / draft-ietf-dnsop-domain-verification-techniques

IETF draft surveying DNS domain verification techniques.

https://ietf-wg-dnsop.github.io/draft-ietf-dnsop-domain-verification-techniques/

Other

6 stars 9 forks source link

Validation and internal only zones and DS record issue #96

Closed paulwouters closed 3 months ago

paulwouters commented 1 year ago

Imagine you want internal.example.com internally, signed with DNSSEC. And you want dns-01 ACME challenges.

You can add a DS without adding NS records. This seems to work (see internal.foobar.fi as an example)

However: https://datatracker.ietf.org/doc/html/rfc3658.html#section-2.2 states:

DS RRsets MUST NOT appear at non-delegation points or at a zone's apex.

Is this something to warn about to not do, or something to advise to do :)

bleve commented 1 year ago

Reason for exporting DS record on public domain without NS records is to make internal domain dnssec automation work with RFC 8078. DS record makes automation possible. Using just trust anchor in resolvers won't allow this kind of KSK rollover automation. Also when internal subdomain DS record is published in public dns, trust works for internal dns resolvers without any hacks.

moonshiner commented 3 months ago

I will admit I've published internal DS records into public dns zones, to allow for the internal resolvers to work.

Marking this to close.