BIND, DNSSEC & AD

Mark Andrews marka at isc.org
Sun Jul 1 00:52:31 UTC 2012 

If you don't want to run named on Windows, it supports dynamic updates with
GSS-TSIG + DNSSEC.

In message <4FEED285.7060103 at strotmann.de>, "Carsten Strotmann (private)" writes:
> Hello John,
> 
> On 6/29/12 4:52 PM, John Williams wrote:
> > The purpose behind this is not to protect the internal AD DNS from 
> > hijacking.  But rather to allow internal clients to run DNSSEC
> > related queries without having to reference external resolvers.
> > 
> > dig +dnssec somedomain
> > 
> 
> I have documented the steps to enable DNSSEC validation on Windows
> 2012 in my Blog:
> <http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns>
> 
> Keep in mind that DNSSEC requires that the authoritative and the
> resolving/caching DNS servers to be separate.
> 
> Clients will not see the AD-Flag (Authenticated Data) for a zone that
> is hosted on the same DNS Server you've sending a recursive query to.
> Applications that depend on the AD flag will fail in this scenario.

It requires a little more configuration but they can see the AD flag.

Two views:
view 1.  match-recursive-only yes; + static stubs zones pointing at
	127.0.0.1 for the local zones + dnssec configured and enabled.
view 2.  normal authoritative only view.
 
> This is a change for many people in the Windows AD world, as often the
> Windows DNS server is used as both authoritative and resolving at the
> same time.
> 
> So a hybrid (both authoritative and caching/resolving) DNS Server can
> DNSSEC validate all domains except the domains it hosts itself (which
> are in case of AD the internal AD domains). This is true for BIND as
> well as for Windows 2012 DNS.
> 
> The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
> no issue having BIND resolvers in an AD environment. It is however
> simpler to have the AD authoritative DNS Servers on Windows Server OS.
> 
> Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
> support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
> 
> - -- Carsten
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
> JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
> =gK1h
> -----END PGP SIGNATURE-----
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> 
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list