<div dir="ltr"><div>Hi</div><div><br></div><div>Thanks a lot for the reference to NTAs - yes this seems to be straight forward.</div><div><br></div><div>The headache comes indeed mainly with this few shadow records - tough i'm not sure if i mean exactly the same as you with the term "Shadow Record".</div><div><br></div><div>Example what i mean:<br><br></div><div>External Side:</div><div>- a configured A Record <a href="http://server01.bla.test.com">server01.bla.test.com</a> points to 194.88.45.32 on the external Public Zone of <a href="http://test.com">test.com</a> in the AWS R53 config</div><div>- only external clients are resolving <a href="http://server01.bla.test.com">server01.bla.test.com</a> to this 194.88.145.32 IP</div><div><br></div><div><br></div><div>Internal Side:<br></div><div>- a configured A Record <a href="http://server01.bla.test.com">server01.bla.test.com</a> points to 192.168.1.22 on the internal <a href="http://bla.test.com">bla.test.com</a> Zone on the internal Powerdns Authoritative</div><div>- only internal Clients/Servers resolve <a href="http://server01.bla.test.com">server01.bla.test.com</a> to this 192.168.1.22 IP via the forward-zone=<a href="http://bla.test.com">bla.test.com</a> on the internal DNS Recursor</div><div><br></div><div><br></div><div>I would assume that since the internal resolution path would be via forward-zone configuration of <a href="http://bla.test.com">bla.test.com</a> it should work when the internal Zone <a href="http://bla.test.com">bla.test.com</a> is not dnssec enabled and the external <a href="http://bla.test.com">bla.test.com</a> is dnssec enabled</div><div><br></div><div>But i'm absolutely and 100% unsure about this and i dont like this situation at all..</div><div><br></div><div>Best Regards</div><div><br></div><div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Am Do., 9. Apr. 2026 um 10:38 Uhr schrieb Brian Candler <<a href="mailto:b.candler@pobox.com">b.candler@pobox.com</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><u></u>
<div>
<div>On 09/04/2026 09:13, rob777 via
Pdns-users wrote:<br>
</div>
<blockquote type="cite">Do
i create a mess with this planned DNSSEC enabling on the external
<a href="http://test.com" target="_blank">test.com</a> DNS
Zone?</blockquote>
<p>If it's just a case of private, unsigned subdomains of <a href="http://test.com" target="_blank">test.com</a>,
then all you need to do is to set Negative Trust Anchors for these
subdomains on your internal recursor(s), and it will be fine.</p>
<p>See:
<a href="https://doc.powerdns.com/recursor/settings.html#forward-zones" target="_blank">https://doc.powerdns.com/recursor/settings.html#forward-zones</a></p>
<p>The fact that you have conflicting parent zones ("shadow zone")
might be more problematic, but I'm not sure. Personally, I'd get
rid of the shadow <a href="http://test.com" target="_blank">test.com</a> zone and use an RPZ to override the
specific answers that you want to be different for internal
clients - which you say is only 2 or 3 records. It's much more
maintainable too, since anything you add to the public <a href="http://test.com" target="_blank">test.com</a>
zone will be visible to internal clients automatically; you don't
have to keep the shadow zone file in sync.</p>
<p><a href="https://doc.powerdns.com/recursor/lua-config/rpz.html" target="_blank">https://doc.powerdns.com/recursor/lua-config/rpz.html</a></p>
<p><br>
</p>
</div>
</blockquote></div></div>