2

I'm playing with DNSSEC for my domain, my DNS server is dual homed (with suitable limits on what can be queried on the public interface) and covers both my public domain, but also a private top level domain (.loc) that I use on my LAN.

I'm struggling to work out how to add a DS record for the .loc domain into my bind9 config. Because it is a Top Level Domain it would normally be listed root servers.

Can I add it to my zone file before the $ORIGIN statement?

hardillb
  • 1,552
  • 2
  • 12
  • 23

1 Answers1

4

You can't really add a DS record for something that is not part of the tree, as there is no proper parent/child relationship for such a zone.

It should be possible to use trusted-keys on your internal validating resolvers to override the keys (or lack thereof) specified in DNS.

It's worth noting, however, that just picking an arbitrary TLD and using it internally is not a good practice. Especially so nowadays as the flood-gates have been opened and new public TLDs are registered all the time.

Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • Yeah, it was set up before all the crazy new set of TLDs got set up, I just haven't got round to finding something better. I do check the list every now and again to make sure it's still free – hardillb Dec 25 '15 at 19:25
  • eager to which section "override the keys (or lack thereof) specified in DNS." actually links to. The HTML anchor does not exist anymore. – hbogert Oct 24 '16 at 21:35
  • 1
    @hbogert I don't recall exactly but I believe that would be http://ftp.isc.org/isc/bind9/cur/9.10/doc/arm/Bv9ARM.ch04.html#dnssec_config I'll have to have a closer look at it and update the answer if it actually makes sense. – Håkan Lindqvist Oct 24 '16 at 21:50