[Pdns-users] DNSSEC + Split DNS
Brian Candler
b.candler at pobox.com
Thu Apr 9 09:09:11 UTC 2026
On 09/04/2026 09:57, rob777 via Pdns-users wrote:
> The headache comes indeed mainly with this few shadow records - tough
> i'm not sure if i mean exactly the same as you with the term "Shadow
> Record".
>
> Example what i mean:
>
> External Side:
> - a configured A Record server01.bla.test.com
> <http://server01.bla.test.com> points to 194.88.45.32 on the external
> Public Zone of test.com <http://test.com> in the AWS R53 config
> - only external clients are resolving server01.bla.test.com
> <http://server01.bla.test.com> to this 194.88.145.32 IP
>
>
> Internal Side:
> - a configured A Record server01.bla.test.com
> <http://server01.bla.test.com> points to 192.168.1.22 on the internal
> bla.test.com <http://bla.test.com> Zone on the internal Powerdns
> Authoritative
> - only internal Clients/Servers resolve server01.bla.test.com
> <http://server01.bla.test.com> to this 192.168.1.22 IP via the
> forward-zone=bla.test.com <http://bla.test.com> on the internal DNS
> Recursor
>
Ah, so these subdomains are also visible to public clients, not purely
for internal consumption? And you're going to sign these subdomains?
To get internal clients to see a different result for
server01.bla.test.com than what is in the public DNS, configuring a
Response Policy Zone on the recursor is the way I'd do it. This is what
RPZ is designed for: to override specific DNS answers.
However, I believe it should also work to have a different,
internal-only (and unsigned) bla.test.com zone with forward-zones and
NTA for bla.test.com on the recursor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.powerdns.com/pipermail/pdns-users/attachments/20260409/04a91680/attachment.htm>
More information about the Pdns-users
mailing list