Re: [DNSOP] DNSSEC in local networks

"Walter H." <> Mon, 04 September 2017 15:22 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 7604F129C41 for <>; Mon, 4 Sep 2017 08:22:02 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.701
X-Spam-Status: No, score=-2.701 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id md7TRmKhDZSs for <>; Mon, 4 Sep 2017 08:21:59 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id B3B1313219F for <>; Mon, 4 Sep 2017 08:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;; s=dkim11; h=Content-Type:In-Reply-To:References:Subject:CC:To:MIME-Version:From:Date:Message-ID; bh=ILwDvGoOnHPnA6ZZ0mVP6zaLVja/JIUn76OCS5xamwg=; b=hwpTVHspOgl2KLXgfZ/Ce41hkeDNhht7/tEX2cDBmktw0q32Ei9ey0FsSF0kWPZVOn5LLMr3Tur+EZziDTi9Rtzal23Qczn7NIycx8L5DlcQPNDP9QaZGi860s0Sw7IhIYe5+YfeOjmXVb1UUMEBpih9Xsr/0ypZDMDcx1wzAus=;
Received: from [] (helo=home.mail) by with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.84_2) (envelope-from <>) id 1dotCF-0000X2-PB; Mon, 04 Sep 2017 17:21:55 +0200
Message-ID: <>
Date: Mon, 04 Sep 2017 17:21:54 +0200
From: "Walter H." <>
Organization: Home
User-Agent: Mozilla/5.0 (UNIX; U; Cray X-MP/48; en-US; rv:2.70) Gecko/20110929 Communicator/7.20
MIME-Version: 1.0
To: Stephane Bortzmeyer <>
CC: dnsop WG <>
References: <> <> <> <> <> <> <> <59f8c88caaf82a5884aa87223d49e7e4.1504505559@squirrel.mail> <> <3fe7bc511a990b0288b645dc176e1ef3.1504515284@squirrel.mail> <>
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070509090904080708040901"
X-SA-Do-Not-Run: Yes
X-AV-Do-Run: Yes
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Subject: Re: [DNSOP] DNSSEC in local networks
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 04 Sep 2017 15:22:02 -0000

On 04.09.2017 17:01, Stephane Bortzmeyer wrote:
> On Mon, Sep 04, 2017 at 10:54:44AM +0200,
>   Walter H.<>  wrote
>   a message of 25 lines which said:
>> I'd say: "either you trust the local net or not";
> ..., but I think it is a
> mistake.
not really, when  there is a security problem, DNS is the less one ...
and I didn't say, that a locally running resolver would not be allowed 
to validate DNSSEC;
but there needn't be a DNSSEC signed local only zone, as the signature 
and zone content comes from the same host;
you can of course validate your own local only zone, nobody prevents you 
from doing so, but it is somewhat strange;
and the fact that a change of the zone doesn't need to be resigned 
raises problems to;

  Many local networks are vulnerable to packets with an
internal address coming from the outside, routing attacks diverting
traffic outside, etc. Not to mention the internal attacks, for
instance by a MS-Windows zombie.

even this is true, DNSSEC for the local zones doesn't make it any better;
as I said, when there is a security problem DNS is the less one ...

> It seems to me that having TLS, DNSSEC and SSH and so on even in the
> local net is Best Practice.
yes and no; when operating a local  mail server that uses TLS for IMAP, 
SMTP, then
a Anti-virus has to break TLS in order to scan before it gets to the 
client ...