injecting records into transfered zone (hidden primary/inline DNSSEC)

Thomas Goldberg t.goldberg77 at
Thu Oct 16 10:03:52 UTC 2014


we're using bind 9.9 as authoritative DNS servers for some locally
managed zones and some windows 2008 R2 active directory DNS zones
(hidden primary).
Now we would like to enable DNSSEC (inline signing by bind) for the
windows zones. Unfortunately we came across a small problem with this

Assuming the following basic setup: (managed by bind) (windows domain zone, transfered from windows DNS server) (special purpose windows domain zone,
transfered from windows DNS server)

Enabling DNSSEC for and is simple. But for we've a problem:
DS records have to be inserted into the domain.
The windows 2008 R2 DNS server doesn't allow us to create DS records
for Active Directory Integrated Zones.

Essentially we're looking for a way to inject DS records into a slave
zone (transfered from another DNS server).
We tried adding the DS records for to the zone file but they are ignored by bind.

Is there any other way to make this setup work with bind?

Best Regards,

More information about the bind-users mailing list