BIND, DNSSEC & AD

Marc Lampo marc.lampo at eurid.eu
Mon Jul 2 06:32:02 UTC 2012


Hello,



Yes, would be ideal …



I understand you want to make the Windows DNS service “DNSSEC capable”
(by feeding it KSK’s of domains that have the same name internally as 
externally).
However :
you are aware that Windows DNS service understands DNSSEC algorithm 5 
(RSA/SHA-1 – NSEC) at most ?

à since the root zone is already algo 8 (RSA/SHA-256)
à since most tld’s are 7 or 8 and most with NSEC3
the Windows DNS service is going to treat most of DNSSEC’d name space as 
“unsigned” anyway …



(another argument to switch to Bind, internally ?)



Kind regards,



Marc Lampo

Security Officer

EURid (for .eu)



From: John Williams [mailto:john.1209 at yahoo.com]
Sent: 29 June 2012 04:53 PM
To: Marc Lampo; bind-users at lists.isc.org
Subject: Re: BIND, DNSSEC & AD



The purpose behind this is not to protect the internal AD DNS from 
hijacking.  But rather to allow internal clients to run DNSSEC related 
queries without having to reference external resolvers.



dig +dnssec somedomain



By the way, integrating BIND into AD will not be permitted.  The AD staff 
will not allow that.  That would be ideal though.



Thanks,



JT



  _____

From: Marc Lampo <marc.lampo at eurid.eu>
To: 'John Williams' <john.1209 at yahoo.com>; bind-users at lists.isc.org
Sent: Friday, June 29, 2012 3:07 AM
Subject: RE: BIND, DNSSEC & AD



Hello,



(not a Bind related question !)



Last time I looked at Microsoft documentation I remember having seen that 
DNSSEC is for static files only,
*not* for “Active Directory integrated” domains !
If that is still true, I think the question about importing keys is 
irrelevant …



You would be needing Bind – from 9.7 onwards – for the DNS servers of the AD 
domains.
Bind can do the trick (DNSSEC + dynamic updating).

It would be sufficient to share the KSK, ZSK’s can be separate (as they are 
signed by the then shared KSK).



But is the an internal AD domain really an plausible attack vector for 
hackers ?



Kind regards,



Marc Lampo

Security Officer

EURid (for .eu)



From: John Williams [mailto:john.1209 at yahoo.com]
Sent: 28 June 2012 10:35 PM
To: bind-users at lists.isc.org
Subject: BIND, DNSSEC & AD



I have an environment that hosts a BIND based internet facing domain, call 
it abc.com <http://abc.com/> .  I also have an internal Active Directory 
instance that hosts a MS based DNS instance called abc.com as well. 
Everything works fine until we decided to implement DNSSEC on Active 
Directory.

Here is my question, is it possible to integrate the two domains?  Can I 
import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that 
method?  Is there better method?  I don't want to have AD DNS be my forward 
(Internet) facing application.

Thanks.

JT



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120702/95d8b34d/attachment.html>


More information about the bind-users mailing list