DNSSEC and MS AD

Chris Buxton chris.p.buxton at gmail.com
Tue Aug 9 17:00:54 UTC 2011


On Aug 9, 2011, at 9:13 AM, John Williams wrote:

> My company (as many) run Microsoft Active Directory internally and we use BIND for our Internet DNS presence.  We have had our domain singed for some time.  Now I've been tasked to look into Signing our AD implementation.  MS has their own version of DNSSEC for their DNS but my question is would this work, at all?
> 
> My (signed) external zone running on BIND is aaa.com, and my internal AD domain is aaa.com as well.  I don't believe I can have two signatures (or DS records) for a child domain on the parent.  The only solution I can think of is import my BIND keys into Active Directory DNS.  I don't know if that is doable at this time.

With a private version of a domain, you should not need to worry about a DS record in the parent. Just make sure your internal caching servers not only can find the internal version of your domain, but also can validate the signatures therein, most likely using a trusted or managed key specific to that internal domain.

I'll not try to get into the specifics of using MS DNS for this purpose because this is not the right forum.

Regards,
Chris Buxton
BlueCat Networks


More information about the bind-users mailing list