Carsten Strotmann (private) cas at
Sat Jun 30 10:18:45 UTC 2012

Hash: SHA1

Hello John,

On 6/29/12 4:52 PM, John Williams wrote:
> The purpose behind this is not to protect the internal AD DNS from 
> hijacking.  But rather to allow internal clients to run DNSSEC
> related queries without having to reference external resolvers.
> dig +dnssec somedomain

I have documented the steps to enable DNSSEC validation on Windows
2012 in my Blog:

Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.

Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.

This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.

So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.

The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.

Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.

- -- Carsten
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


More information about the bind-users mailing list