On Aug 9, 2011, at 9:13 AM, John Williams wrote: > My company (as many) run Microsoft Active Directory internally and we use > BIND for our Internet DNS presence. We have had our domain singed for some > time. Now I've been tasked to look into Signing our AD implementation. MS > has their own version of DNSSEC for their DNS but my question is would this > work, at all? > > My (signed) external zone running on BIND is aaa.com, and my internal AD > domain is aaa.com as well. I don't believe I can have two signatures (or DS > records) for a child domain on the parent. The only solution I can think of > is import my BIND keys into Active Directory DNS. I don't know if that is > doable at this time.
With a private version of a domain, you should not need to worry about a DS record in the parent. Just make sure your internal caching servers not only can find the internal version of your domain, but also can validate the signatures therein, most likely using a trusted or managed key specific to that internal domain. I'll not try to get into the specifics of using MS DNS for this purpose because this is not the right forum. Regards, Chris Buxton BlueCat Networks _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
