Re: [DNSOP] howto "internal"

Tony Finch <dot@dotat.at> Tue, 24 July 2018 15:32 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 55D11131140 for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 08:32:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.199
X-Spam-Level:
X-Spam-Status: No, score=-4.199 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s47BZgW1xGya for <dnsop@ietfa.amsl.com>; Tue, 24 Jul 2018 08:32:47 -0700 (PDT)
Received: from ppsw-30.csi.cam.ac.uk (ppsw-30.csi.cam.ac.uk [131.111.8.130]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B2BCA130EE0 for <dnsop@ietf.org>; Tue, 24 Jul 2018 08:32:47 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:59370) by ppsw-30.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.136]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1fhzIr-0003is-cl (Exim 4.91) (return-path <dot@dotat.at>); Tue, 24 Jul 2018 16:32:45 +0100
Date: Tue, 24 Jul 2018 16:32:44 +0100
From: Tony Finch <dot@dotat.at>
To: =?UTF-8?Q?Petr_=C5=A0pa=C4=8Dek?= <petr.spacek@nic.cz>
cc: dnsop@ietf.org
In-Reply-To: <2264d840-33cc-736c-668a-a537c4da4a30@nic.cz>
Message-ID: <alpine.DEB.2.20.1807241623300.5965@grey.csi.cam.ac.uk>
References: <1cb82914-0bc3-9ea7-7f69-9dc826d19e48@andreasschulze.de> <2264d840-33cc-736c-668a-a537c4da4a30@nic.cz>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: multipart/mixed; BOUNDARY="1870870841-585428014-1532446365=:5965"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/9ZWJFl7roY275wUmvVAW3ps87Hg>
Subject: Re: [DNSOP] howto "internal"
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 24 Jul 2018 15:32:50 -0000

Petr Špaček <petr.spacek@nic.cz> wrote:
>
> My operational experience indicates that it is easiest to just use
> "corp.example.com.", "office.example.com.", or even "i.example.com.".

We use private.cam.ac.uk.

> Nice thing is that this approach doesn't require:
> - views

We have an empty version of private.cam.ac.uk in an external view,
originally set up to avoid problems with CAA checking for X.509
certificates. It also massively reduces retries for REFUSED queries from
outside. (Our qps went down by about 50% when we introduced this view!)

> - forwarding

However you do still need forwarding (or stealth secondarying) for RFC1918
reverse DNS. Catalog zones make stealth secondaries almost as easy as
forwarding to set up and maintain :-)

> - explicit trust anchor (if you want DNSSEC inside internal network)
>
> and generally just works :-)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Sole: Westerly backing southerly, 3 or 4, increasing 5 or 6 later in west.
Slight, becoming moderate in west. Mainly fair. Moderate or good.