[nsd-users] Split-horizon question
Jeroen Koekkoek
jeroen at nlnetlabs.nl
Mon Sep 4 10:22:58 UTC 2023
Hi Roman,
That can work if you configure Unbound with 'domain-insecure:
"mydomain.org"' (courtesy of Wouter, please test, I'm not very
knowledgeable when it comes to Unbound), but it will indeed break
DNSSEC.
To make DNSSEC work, you will have to sign the zone twice and host a
second copy (NSD or Unbound auth-zone). BIND offers something called a
view, but even then you will need actual separate zones.
I cannot think of a more convenient to achieve what you want and keep
DNSSEC intact, but others may have suggestions(?)
- Jeroen
On Fri, 2023-09-01 at 13:16 +0200, Roman Serbski via nsd-users wrote:
> Hello,
>
> NSD 4.7.0 running on FreeBSD 13.X and serving DNSSEC signed zone (say
> mydomain.org) to the world.
>
> I've been approached by a customer with the request to include
> certain
> records into mydomain.org zone which will be resolvable only from
> their premises.
>
> I'm thinking to setup a pair of unbound instances, ask the customer
> to
> configure conditional forwarding for mydomain.org to those unbound
> instances, and serve requested records by unbound, while the rest of
> the zone will be handled by NSD.
>
> I think this will break DNSSEC for them -- do you think this is the
> right approach? Any ideas would be very much appreciated.
>
> Thank you.
> _______________________________________________
> nsd-users mailing list
> nsd-users at lists.nlnetlabs.nl
> https://lists.nlnetlabs.nl/mailman/listinfo/nsd-users
More information about the nsd-users
mailing list