Unless I'm very mistaken, an "AD Integrated" (as opposed to "primary"/"secondary") zone cannot be protected by DNSSEC. (remember having read this in the MS's DNSSEC document).
Also (in that document) : max algorithm supported is 5 (RSASHA1). This means that using MS DNS as validating caching name server is pointless, as the root uses algorithm 8 and domains with unknown algorithms are treated as "unsigned". --> for MS DNS, the chain-of-trust breaks right at the top level, not ? Kind regards, Marc Lampo EURid Security Officer -----Original Message----- From: John Williams [mailto:john.1...@yahoo.com] Sent: 09 August 2011 06:13 PM To: bind-users@lists.isc.org Subject: DNSSEC and MS AD My company (as many) run Microsoft Active Directory internally and we use BIND for our Internet DNS presence. We have had our domain singed for some time. Now I've been tasked to look into Signing our AD implementation. MS has their own version of DNSSEC for their DNS but my question is would this work, at all? My (signed) external zone running on BIND is aaa.com, and my internal AD domain is aaa.com as well. I don't believe I can have two signatures (or DS records) for a child domain on the parent. The only solution I can think of is import my BIND keys into Active Directory DNS. I don't know if that is doable at this time. I know this is not uniquely a BIND issue but I'm hoping that someone has run into this and can possibly provide insight to a solution. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
