Mark Andrews marka at
Sun Jul 1 00:52:31 UTC 2012

If you don't want to run named on Windows, it supports dynamic updates with

In message <4FEED285.7060103 at>, "Carsten Strotmann (private)" writes:
> Hello John,
> On 6/29/12 4:52 PM, John Williams wrote:
> > The purpose behind this is not to protect the internal AD DNS from 
> > hijacking.  But rather to allow internal clients to run DNSSEC
> > related queries without having to reference external resolvers.
> > 
> > dig +dnssec somedomain
> > 
> I have documented the steps to enable DNSSEC validation on Windows
> 2012 in my Blog:
> <>
> Keep in mind that DNSSEC requires that the authoritative and the
> resolving/caching DNS servers to be separate.
> Clients will not see the AD-Flag (Authenticated Data) for a zone that
> is hosted on the same DNS Server you've sending a recursive query to.
> Applications that depend on the AD flag will fail in this scenario.

It requires a little more configuration but they can see the AD flag.

Two views:
view 1.  match-recursive-only yes; + static stubs zones pointing at for the local zones + dnssec configured and enabled.
view 2.  normal authoritative only view.
> This is a change for many people in the Windows AD world, as often the
> Windows DNS server is used as both authoritative and resolving at the
> same time.
> So a hybrid (both authoritative and caching/resolving) DNS Server can
> DNSSEC validate all domains except the domains it hosts itself (which
> are in case of AD the internal AD domains). This is true for BIND as
> well as for Windows 2012 DNS.
> The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
> no issue having BIND resolvers in an AD environment. It is however
> simpler to have the AD authoritative DNS Servers on Windows Server OS.
> Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
> support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
> - -- Carsten
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
> JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
> =gK1h
> _______________________________________________
> Please visit to unsubscribe from this list
> bind-users mailing list
> bind-users at
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at

More information about the bind-users mailing list