Use of private and public DNS with DNSSEC

My company, 'example.com', has a public host www.example.com. The (legacy Windows managed) internal network has several internal hosts internalhost1.example.com, internalhost2.example.com and so on.

The internal network has an internal private authoritative DNS server for example.com. The public DNS server is hosted somewhere on the internet. External users on the internet cannot resolve the internal hosts, they are not available on the public DNS server. Internal users can resolve internal hosts because they are using the internal DNS server to resolve.

Now the public DNS is in the process of getting secured by DNSSEC. I have verified that currently the internal clients do not seem to care that the external DNS is secured by DNSSEC, they just continue trusting the internal DNS server, the clients are 'non-validating'.

Now my question is if there is any plan or roadmap to force all clients to validate DNSSEC? How long will the above setup work if we secure the public DNS with DNSSEC and keep the private DNS non-DNSSEC? A year? Ten years? Forever? Should we convert our internal domain to example.local or can we leave it example.com?


Solution 1:

TLDR; if you manage your workstations then your workstations will always work as you expect.

Internal systems should've been a subdomain of the public domain and then you can delegate/sign the internal zone with your parent domain, and would also no longer need split DNS as your external records (www.example.com) would resolve externally, you CAN add A records that point internally, externally, but you cannot add glue records for internal IPs. Also I would recommend always using a domain name you control, and not a factitious example.local and absolutely not a domain.companytld

Windows (Named Resolution Policy Table (NRPT)) and linux (systemd-resolve) both support client-side settings for DNSSEC validation as well as the ability to specify what domains should always be signed.

Other things to consider, DoH (DNS over HTTPS) which could bypass all your existing security and dns manipulations.