BIND, DNSSEC & AD
marka at isc.org
Sun Jul 1 00:52:31 UTC 2012
If you don't want to run named on Windows, it supports dynamic updates with
GSS-TSIG + DNSSEC.
In message <4FEED285.7060103 at strotmann.de>, "Carsten Strotmann (private)" writes:
> Hello John,
> On 6/29/12 4:52 PM, John Williams wrote:
> > The purpose behind this is not to protect the internal AD DNS from
> > hijacking. But rather to allow internal clients to run DNSSEC
> > related queries without having to reference external resolvers.
> > dig +dnssec somedomain
> I have documented the steps to enable DNSSEC validation on Windows
> 2012 in my Blog:
> Keep in mind that DNSSEC requires that the authoritative and the
> resolving/caching DNS servers to be separate.
> Clients will not see the AD-Flag (Authenticated Data) for a zone that
> is hosted on the same DNS Server you've sending a recursive query to.
> Applications that depend on the AD flag will fail in this scenario.
It requires a little more configuration but they can see the AD flag.
view 1. match-recursive-only yes; + static stubs zones pointing at
127.0.0.1 for the local zones + dnssec configured and enabled.
view 2. normal authoritative only view.
> This is a change for many people in the Windows AD world, as often the
> Windows DNS server is used as both authoritative and resolving at the
> same time.
> So a hybrid (both authoritative and caching/resolving) DNS Server can
> DNSSEC validate all domains except the domains it hosts itself (which
> are in case of AD the internal AD domains). This is true for BIND as
> well as for Windows 2012 DNS.
> The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
> no issue having BIND resolvers in an AD environment. It is however
> simpler to have the AD authoritative DNS Servers on Windows Server OS.
> Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
> support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
> - -- Carsten
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> -----END PGP SIGNATURE-----
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
> bind-users mailing list
> bind-users at lists.isc.org
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users