DNSSEC and MS AD
andreev.peter at gmail.com
Wed Aug 10 07:19:37 UTC 2011
2011/8/9 Chris Buxton <chris.p.buxton at gmail.com>:
> On Aug 9, 2011, at 10:07 AM, John Williams wrote:
>> --- On Tue, 8/9/11, Chris Buxton <chris.p.buxton at gmail.com> wrote:
>>> With a private version of a domain, you should not need to
>>> worry about a DS record in the parent. Just make sure your
>>> internal caching servers not only can find the internal
>>> version of your domain, but also can validate the signatures
>>> therein, most likely using a trusted or managed key specific
>>> to that internal domain.
>>> I'll not try to get into the specifics of using MS DNS for
>>> this purpose because this is not the right forum.
>>> Chris Buxton
>>> BlueCat Networks
>> Based on your response, I'm wondering how an application such as Exchange (SMTP, which clearly relies on DNS) will work in this model. Are there there any affects of the parent domain (.com, .net, whatever...) not having the DS records? for the domain?
> I don't follow your reasoning.
> For SMTP, the DNS-related operation is in looking up the MX and A/AAAA records of other mail servers based on an outgoing message. If you're worried about other mail servers finding your Exchange server, there are two cases:
> - External. My comments had nothing to do with external (Internet-facing) DNS records. There, you would want to have DS records put into the parent zone to be able to authenticate the link from parent to child.
> - Internal. If you're using MX records internally, you're either very large or misguided. If you are large enough to warrant this, then your caching servers should be able to follow your internal chain of trust, starting at a private trust anchor. This is the point I was getting at.
> The use of internal, private namespace should be entirely transparent to any service other than DNS. Your mail server should not need to know about it, and should not be able to detect it (other than watching for private address space and obviously-private domain names like "corp.dom").
As I understood from there -
Chris' scenario should work. But I doubt that it is reasonable to use
DNSSEC for internal domain and, moreover, with such limitations.
> Chris Buxton
> BlueCat Networks
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
More information about the bind-users