injecting records into transfered zone (hidden primary/inline DNSSEC)
t.goldberg77 at gmail.com
Thu Oct 16 10:03:52 UTC 2014
we're using bind 9.9 as authoritative DNS servers for some locally
managed zones and some windows 2008 R2 active directory DNS zones
Now we would like to enable DNSSEC (inline signing by bind) for the
windows zones. Unfortunately we came across a small problem with this
Assuming the following basic setup:
example.com (managed by bind)
win.example.com (windows domain zone, transfered from windows DNS server)
_msdcs.win.example.com (special purpose windows domain zone,
transfered from windows DNS server)
Enabling DNSSEC for example.com and win.example.com is simple. But for
_msdcs.win.example.com we've a problem:
DS records have to be inserted into the win.example.com domain.
The windows 2008 R2 DNS server doesn't allow us to create DS records
for Active Directory Integrated Zones.
Essentially we're looking for a way to inject DS records into a slave
zone (transfered from another DNS server).
We tried adding the DS records for _msdcs.win.example.com to the
example.com zone file but they are ignored by bind.
Is there any other way to make this setup work with bind?
More information about the bind-users