[Pdns-users] DNSSEC + Split DNS

rob777 rogbru at gmail.com
Thu Apr 9 08:57:57 UTC 2026 

Hi

Thanks a lot for the reference to NTAs - yes this seems to be straight
forward.

The headache comes indeed mainly with this few shadow records - tough i'm
not sure if i mean exactly the same as you with the term "Shadow Record".

Example what i mean:

External Side:
- a configured A Record server01.bla.test.com points to 194.88.45.32 on the
external Public Zone of test.com in the AWS R53 config
- only external clients are resolving server01.bla.test.com to this
194.88.145.32 IP


Internal Side:
- a configured A Record server01.bla.test.com points to 192.168.1.22 on the
internal bla.test.com Zone on the internal Powerdns Authoritative
- only internal Clients/Servers resolve server01.bla.test.com to this
192.168.1.22 IP via the forward-zone=bla.test.com on the internal DNS
Recursor


I would assume that since the internal resolution path would be via
forward-zone configuration of bla.test.com it should work when the internal
Zone bla.test.com is not dnssec enabled and the external bla.test.com is
dnssec enabled

But i'm absolutely and 100% unsure about this and i dont like this
situation at all..

Best Regards


Am Do., 9. Apr. 2026 um 10:38 Uhr schrieb Brian Candler <b.candler at pobox.com
>:

> On 09/04/2026 09:13, rob777 via Pdns-users wrote:
>
> Do i create a mess with this planned DNSSEC enabling on the external
> test.com DNS Zone?
>
> If it's just a case of private, unsigned subdomains of test.com, then all
> you need to do is to set Negative Trust Anchors for these subdomains on
> your internal recursor(s), and it will be fine.
>
> See: https://doc.powerdns.com/recursor/settings.html#forward-zones
>
> The fact that you have conflicting parent zones ("shadow zone") might be
> more problematic, but I'm not sure. Personally, I'd get rid of the shadow
> test.com zone and use an RPZ to override the specific answers that you
> want to be different for internal clients - which you say is only 2 or 3
> records. It's much more maintainable too, since anything you add to the
> public test.com zone will be visible to internal clients automatically;
> you don't have to keep the shadow zone file in sync.
>
> https://doc.powerdns.com/recursor/lua-config/rpz.html
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260409/e990e26b/attachment.htm>

More information about the Pdns-users mailing list