[Pdns-users] DNSSEC + Split DNS
Brian Candler
b.candler at pobox.com
Thu Apr 9 08:38:19 UTC 2026
On 09/04/2026 09:13, rob777 via Pdns-users wrote:
> Do i create a mess with this planned DNSSEC enabling on the external
> test.com <http://test.com> DNS Zone?
If it's just a case of private, unsigned subdomains of test.com, then
all you need to do is to set Negative Trust Anchors for these subdomains
on your internal recursor(s), and it will be fine.
See: https://doc.powerdns.com/recursor/settings.html#forward-zones
The fact that you have conflicting parent zones ("shadow zone") might be
more problematic, but I'm not sure. Personally, I'd get rid of the
shadow test.com zone and use an RPZ to override the specific answers
that you want to be different for internal clients - which you say is
only 2 or 3 records. It's much more maintainable too, since anything you
add to the public test.com zone will be visible to internal clients
automatically; you don't have to keep the shadow zone file in sync.
https://doc.powerdns.com/recursor/lua-config/rpz.html
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260409/cf817d90/attachment.htm>
More information about the Pdns-users
mailing list