dns:dnssec
Differences
This shows you the differences between two versions of the page.
| Both sides previous revisionPrevious revision | |||
| dns:dnssec [2025/01/19 10:09] – [DNSSEC Flags] bstafford | dns:dnssec [2025/05/09 13:18] (current) – [Internal DNSSEC] bstafford | ||
|---|---|---|---|
| Line 106: | Line 106: | ||
| ===== Internal DNSSEC ===== | ===== Internal DNSSEC ===== | ||
| + | [[https:// | ||
| + | |||
| Internal domains should not be DNSSEC signed. If they are truly internal domains, connecting into the chain of trust would be challenging if not impossible. However, there is another concern if the internal domains are receiving DDNS updates, then they will constantly need to re-sign the domain, which could end up being a major performance impact. DNSSEC validation is done by DNS servers, not clients, so if the clients are going to be querying servers that have the authoritative data, there is absolutely nothing to validate. | Internal domains should not be DNSSEC signed. If they are truly internal domains, connecting into the chain of trust would be challenging if not impossible. However, there is another concern if the internal domains are receiving DDNS updates, then they will constantly need to re-sign the domain, which could end up being a major performance impact. DNSSEC validation is done by DNS servers, not clients, so if the clients are going to be querying servers that have the authoritative data, there is absolutely nothing to validate. | ||
dns/dnssec.1737281391.txt.gz · Last modified: by bstafford