On Sun, Nov 9, 2025 at 2:37 AM Ted Lemon <[email protected]> wrote: > Why is signing internal zones a bad idea? Seems like a good idea to me, > but I haven’t been able to do it at scale so maybe I’m missing something? >
I've been reading but mostly choosing to stay out of the conversation because the current protocol standards already permit trust to be managed properly across internal/external boundaries by organizations and DNS administrators that choose to do so. I'm not convinced that adding more standards documents will convince organizations that do not choose to manage their namespace(s) coherently to start doing so. Most of those boundaries in forward-mapping DNS at my organization occur at either the second level domain (for one registered domain) or the third level domain (like the internal.example.corp illustration), though I can think of at least one example of that boundary being established at the fourth level domain. The boundary is established with a public, but mostly empty placeholder zone with a legitimate Internet resolvable delegation in addition to the "internal" version. An enterprise of any scale that is going to deploy zones that are not publicly resolvable will often have a tiered forwarder-based recursive infrastructure with the "internal" recursive resolvers forwarding by default to the Internet resolvers for the organization. (It's not the only approach, of course, but it's one that can scale.) Trust at the boundary is then managed by the presence or absence of DS records in the parent zone same as for a zone with only a single Internet version. (A secure delegation requires that both the Internet and "internal" versions of the zone are signed and a DS record for both KSKs has been placed in the Internet parent zone.) With that noted, the decision to sign or not sign a given zone, internal or otherwise, has to be made on a case by case basis. But at scale, an enterprise DNS can be quite large, can have completely different organizational administration of different portions (with their own recursive resolvers) and often has consumers of their "internal" DNS outside their organization through private channels. The security assurances and benefits of signing an "internal" zone often aren't significantly different from a public zone. Only a pretty small "enterprise" would have "internal" zones that are only consumed by recursive resolvers under the administrative control of a single organization within that enterprise *and* no external parties. While those of us who work with the protocol standards understand that trust is always managed at the parent, in my experience that is still not well understood more broadly. I routinely work with other organizations to whom I have to explain that the security state of a zone for a DNSSEC validating resolver isn't determined by whether or not a zone is DNSSEC signed but by the presence or absence of a DS record in the last secure parent zone in the chain of trust. Therefore they equate not signing a zone with making its namespace insecure. (That often arises when an external vendor wants us to "override" one of their secure subdomains with our own version of it even when I explain our recursive resolvers are all DNSSEC validating. I can't count how many times I've been told to just not sign our version of the zone as if that resolves the trust issue.) Other arguments against DNSSEC signing an "internal" version of a zone usually focus on the fact that some internal zones might be large or might change frequently (as if that weren't a concern for some TLDs). That's more a reflection of the fact that size and scale of signing must be considered in the design. But it's not inherently an issue. My organization has an "internal" zone with hundreds of thousands of records with up to 75 or so DDNS updates a second at times during the business day that we've been DNSSEC signing (obviously mostly with incremental signing and transfers) for about a decade now. (That zone is consumed and used by a lot of other organizations even though it is not resolvable over the Internet. It's at a level below the internal/external boundary so there isn't even a placeholder on the Internet.) Anyway, there is nothing inherently different about the decision to sign or not sign a zone simply because the entire Internet can't resolve entries in it. And as noted, I would argue that there isn't any clear "internal" vs. "external" binary state for an authoritative zone in almost every real world instance. There are zones that can be resolved by most sources across the Internet. And then there are zones (or versions of zones) that can only be resolved by some subset of most recursive resolvers across the Internet. The size of that subset can vary a lot. Maybe some of the above adds some value to the discussion. Thanks, Scott
_______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
