DNSSEC and forward zones

Lyle Giese lyle at lcrcomputer.net
Tue Nov 1 20:16:47 UTC 2011


On 11/1/2011 3:00 PM, Phil Mayers wrote:
> On 11/01/2011 06:24 PM, Lyle Giese wrote:
>
>> A work-around (and it has some side effects and could be undesirable,
>> just be aware of the side effects of doing this) is to declare .internal
>> as a master zone in your DNS servers and then delegate
>> policydomain.internal to your Windows AD servers in your .internal zone.
>
> I was about to suggest trying that, but wasn't sure how it would
> interact with DNSSEC; any ideas?
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users

When you declare yourself as Master, then the zone starts here and it 
doesn't ask the 'parent' for the keys for the zone.  Since you won't 
sign it as I assume the AD zone is not signed and is only for internal 
use, you will be good.

Lyle Giese
LCR Computer Services, Inc.




More information about the bind-users mailing list