<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><!--[if !mso]><style>v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style><![endif]--><style><!--
/* Font Definitions */
@font-face
{font-family:Wingdings;
panose-1:5 0 0 0 0 0 0 0 0 0;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
p.yiv166176305msonormal, li.yiv166176305msonormal, div.yiv166176305msonormal
{mso-style-name:yiv166176305msonormal;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
p.yiv166176305msochpdefault, li.yiv166176305msochpdefault, div.yiv166176305msochpdefault
{mso-style-name:yiv166176305msochpdefault;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.yiv166176305msohyperlink
{mso-style-name:yiv166176305msohyperlink;}
span.yiv166176305msohyperlinkfollowed
{mso-style-name:yiv166176305msohyperlinkfollowed;}
span.yiv166176305emailstyle17
{mso-style-name:yiv166176305emailstyle17;}
p.yiv166176305msonormal1, li.yiv166176305msonormal1, div.yiv166176305msonormal1
{mso-style-name:yiv166176305msonormal1;
margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.yiv166176305msohyperlink1
{mso-style-name:yiv166176305msohyperlink1;
color:blue;
text-decoration:underline;}
span.yiv166176305msohyperlinkfollowed1
{mso-style-name:yiv166176305msohyperlinkfollowed1;
color:purple;
text-decoration:underline;}
span.yiv166176305emailstyle171
{mso-style-name:yiv166176305emailstyle171;
font-family:"Arial","sans-serif";
color:#1F497D;}
p.yiv166176305msochpdefault1, li.yiv166176305msochpdefault1, div.yiv166176305msochpdefault1
{mso-style-name:yiv166176305msochpdefault1;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:10.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle27
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-ZA link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Hello,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Yes, would be ideal …<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>I understand you want to make the Windows DNS service “DNSSEC capable”<br>(by feeding it KSK’s of domains that have the same name internally as externally).<br>However :<br>you are aware that Windows DNS service understands DNSSEC algorithm 5 (RSA/SHA-1 – NSEC) at most ?<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>à</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> since the root zone is already algo 8 (RSA/SHA-256)<br></span><span style='font-size:11.0pt;font-family:Wingdings;color:#1F497D'>à</span><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> since most tld’s are 7 or 8 and most with NSEC3<br>the Windows DNS service is going to treat most of DNSSEC’d name space as “unsigned” anyway …<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>(another argument to switch to Bind, internally ?)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Kind regards,<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Marc Lampo<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>Security Officer<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>EURid (for .eu)<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> John Williams [mailto:john.1209@yahoo.com] <br><b>Sent:</b> 29 June 2012 04:53 PM<br><b>To:</b> Marc Lampo; bind-users@lists.isc.org<br><b>Subject:</b> Re: BIND, DNSSEC & AD<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal style='background:white'><span style='color:black'>The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to run DNSSEC related queries without having to reference external resolvers.<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>dig +dnssec somedomain<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>By the way, integrating BIND into AD will not be permitted. The AD staff will not allow that. That would be ideal though.<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>Thanks,<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'>JT<o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p></div><div><div><div><div class=MsoNormal align=center style='text-align:center;background:white'><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'><hr size=1 width="100%" align=center></span></div><p class=MsoNormal style='background:white'><b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>From:</span></b><span style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> Marc Lampo <<a href="mailto:marc.lampo@eurid.eu">marc.lampo@eurid.eu</a>><br><b>To:</b> 'John Williams' <<a href="mailto:john.1209@yahoo.com">john.1209@yahoo.com</a>>; <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a> <br><b>Sent:</b> Friday, June 29, 2012 3:07 AM<br><b>Subject:</b> RE: BIND, DNSSEC & AD</span><span style='color:black'><o:p></o:p></span></p></div><p class=MsoNormal style='background:white'><span style='color:black'><o:p> </o:p></span></p><div id=yiv166176305><div><div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Hello,</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>(not a Bind related question !)</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Last time I looked at Microsoft documentation I remember having seen that DNSSEC is for static files only,<br>*<b>not</b>* for “Active Directory<i> integrated</i>” domains !<br>If that is still true, I think the question about importing keys is irrelevant …</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>You would be needing Bind – from 9.7 onwards – for the DNS servers of the AD domains.<br>Bind can do the trick (DNSSEC + dynamic updating).</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>It would be sufficient to share the KSK, ZSK’s can be separate (as they are signed by the then shared KSK).</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>But is the an internal AD domain really an plausible attack vector for hackers ?</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Kind regards,</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Marc Lampo</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>Security Officer</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'>EURid (for .eu)</span><span style='color:black'><o:p></o:p></span></p></div><div><p class=MsoNormal style='background:white'><span style='font-size:11.0pt;font-family:"Arial","sans-serif";color:#1F497D'> </span><span style='color:black'><o:p></o:p></span></p></div><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><div><p class=MsoNormal style='background:white'><b><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Arial","sans-serif";color:black'> John Williams [<a href="mailto:john.1209@yahoo.com">mailto:john.1209@yahoo.com</a>] <br><b>Sent:</b> 28 June 2012 10:35 PM<br><b>To:</b> <a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br><b>Subject:</b> BIND, DNSSEC & AD</span><span style='color:black'><o:p></o:p></span></p></div></div></div><div><p class=MsoNormal style='background:white'><span style='color:black'> <o:p></o:p></span></p></div><div><div><p class=MsoNormal style='background:white'><span style='color:black'>I have an environment that hosts a BIND based internet facing domain, call it <a href="http://abc.com/" target="_blank">abc.com</a>. I also have an internal Active Directory instance that hosts a MS based DNS instance called abc.com as well. Everything works fine until we decided to implement DNSSEC on Active Directory.<br><br>Here is my question, is it possible to integrate the two domains? Can I import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method? Is there better method? I don't want to have AD DNS be my forward (Internet) facing application.<br><br>Thanks.<br><br>JT<o:p></o:p></span></p></div></div></div></div></div><p class=MsoNormal style='margin-bottom:12.0pt;background:white'><span style='color:black'><o:p> </o:p></span></p></div></div></div></div></body></html>