Marc Lampo marc.lampo at eurid.eu
Wed Aug 10 06:11:51 UTC 2011

Unless I'm very mistaken, an "AD Integrated" (as opposed to
"primary"/"secondary") zone cannot be protected by DNSSEC.  (remember
having read this in the MS's DNSSEC document).

Also (in that document) : max algorithm supported is 5 (RSASHA1).
This means that using MS DNS as validating caching name server is
as the root uses algorithm 8 and domains with unknown algorithms are
treated as "unsigned".
--> for MS DNS, the chain-of-trust breaks right at the top level, not ?

Kind regards,

Marc Lampo
Security Officer

-----Original Message-----
From: John Williams [mailto:john.1209 at yahoo.com] 
Sent: 09 August 2011 06:13 PM
To: bind-users at lists.isc.org
Subject: DNSSEC and MS AD

My company (as many) run Microsoft Active Directory internally and we use
BIND for our Internet DNS presence.  We have had our domain singed for
some time.  Now I've been tasked to look into Signing our AD
implementation.  MS has their own version of DNSSEC for their DNS but my
question is would this work, at all?

My (signed) external zone running on BIND is aaa.com, and my internal AD
domain is aaa.com as well.  I don't believe I can have two signatures (or
DS records) for a child domain on the parent.  The only solution I can
think of is import my BIND keys into Active Directory DNS.  I don't know
if that is doable at this time.

I know this is not uniquely a BIND issue but I'm hoping that someone has
run into this and can possibly provide insight to a solution.

More information about the bind-users mailing list