John Williams john.1209 at yahoo.com
Tue Aug 9 16:13:16 UTC 2011

My company (as many) run Microsoft Active Directory internally and we use BIND for our Internet DNS presence.  We have had our domain singed for some time.  Now I've been tasked to look into Signing our AD implementation.  MS has their own version of DNSSEC for their DNS but my question is would this work, at all?

My (signed) external zone running on BIND is aaa.com, and my internal AD domain is aaa.com as well.  I don't believe I can have two signatures (or DS records) for a child domain on the parent.  The only solution I can think of is import my BIND keys into Active Directory DNS.  I don't know if that is doable at this time.

I know this is not uniquely a BIND issue but I'm hoping that someone has run into this and can possibly provide insight to a solution.

More information about the bind-users mailing list