Re: BIND, DNSSEC & AD

Fri, 29 Jun 2012 07:54:01 -0700 

The purpose behind this is not to protect the internal AD DNS from hijacking.  
But rather to allow internal clients to run DNSSEC related queries without 
having to reference external resolvers.

dig +dnssec somedomain


By the way, integrating BIND into AD will not be permitted.  The AD staff will 
not allow that.  That would be ideal though.

Thanks,

JT



________________________________
 From: Marc Lampo <marc.la...@eurid.eu>
To: 'John Williams' <john.1...@yahoo.com>; bind-users@lists.isc.org 
Sent: Friday, June 29, 2012 3:07 AM
Subject: RE: BIND, DNSSEC & AD
 

Hello,
 
(not a Bind related question !)
 
Last time I looked at Microsoft documentation I remember having seen that 
DNSSEC is for static files only,
*not* for “Active Directoryintegrated” domains !
If that is still true, I think the question about importing keys is irrelevant …
 
You would be needing Bind – from 9.7 onwards – for the DNS servers of the AD 
domains.
Bind can do the trick (DNSSEC + dynamic updating).
It would be sufficient to share the KSK, ZSK’s can be separate (as they are 
signed by the then shared KSK).
 
But is the an internal AD domain really an plausible attack vector for hackers ?
 
Kind regards,
 
Marc Lampo
Security Officer
EURid (for .eu)
 
From:John Williams [mailto:john.1...@yahoo.com] 
Sent: 28 June 2012 10:35 PM
To: bind-users@lists.isc.org
Subject: BIND, DNSSEC & AD
 
I have an environment that hosts a BIND based internet facing domain, call it 
abc.com.  I also have an internal Active Directory instance that hosts a MS 
based DNS instance called abc.com as well.  Everything works fine until we 
decided to implement DNSSEC on Active Directory.

Here is my question, is it possible to integrate the two domains?  Can I import 
the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method?  Is 
there better method?  I don't want to have AD DNS be my forward (Internet) 
facing application.

Thanks.

JT
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to