-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello John,
On 6/29/12 4:52 PM, John Williams wrote: > The purpose behind this is not to protect the internal AD DNS from > hijacking. But rather to allow internal clients to run DNSSEC > related queries without having to reference external resolvers. > > dig +dnssec somedomain > I have documented the steps to enable DNSSEC validation on Windows 2012 in my Blog: <http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns> Keep in mind that DNSSEC requires that the authoritative and the resolving/caching DNS servers to be separate. Clients will not see the AD-Flag (Authenticated Data) for a zone that is hosted on the same DNS Server you've sending a recursive query to. Applications that depend on the AD flag will fail in this scenario. This is a change for many people in the Windows AD world, as often the Windows DNS server is used as both authoritative and resolving at the same time. So a hybrid (both authoritative and caching/resolving) DNS Server can DNSSEC validate all domains except the domains it hosts itself (which are in case of AD the internal AD domains). This is true for BIND as well as for Windows 2012 DNS. The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is no issue having BIND resolvers in an AD environment. It is however simpler to have the AD authoritative DNS Servers on Windows Server OS. Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled. - -- Carsten -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB =gK1h -----END PGP SIGNATURE----- _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
