BIND, DNSSEC & AD
Marc Lampo
marc.lampo at eurid.eu
Fri Jun 29 07:07:46 UTC 2012
Hello,
(not a Bind related question !)
Last time I looked at Microsoft documentation I remember having seen that
DNSSEC is for static files only,
*not* for "Active Directory integrated" domains !
If that is still true, I think the question about importing keys is
irrelevant .
You would be needing Bind - from 9.7 onwards - for the DNS servers of the
AD domains.
Bind can do the trick (DNSSEC + dynamic updating).
It would be sufficient to share the KSK, ZSK's can be separate (as they
are signed by the then shared KSK).
But is the an internal AD domain really an plausible attack vector for
hackers ?
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
From: John Williams [mailto:john.1209 at yahoo.com]
Sent: 28 June 2012 10:35 PM
To: bind-users at lists.isc.org
Subject: BIND, DNSSEC & AD
I have an environment that hosts a BIND based internet facing domain, call
it abc.com. I also have an internal Active Directory instance that hosts
a MS based DNS instance called abc.com as well. Everything works fine
until we decided to implement DNSSEC on Active Directory.
Here is my question, is it possible to integrate the two domains? Can I
import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that
method? Is there better method? I don't want to have AD DNS be my
forward (Internet) facing application.
Thanks.
JT
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20120629/dc51e2f1/attachment.html>
More information about the bind-users
mailing list