If you don't want to run named on Windows, it supports dynamic updates with GSS-TSIG + DNSSEC.
In message <4feed285.7060...@strotmann.de>, "Carsten Strotmann (private)" writes: > Hello John, > > On 6/29/12 4:52 PM, John Williams wrote: > > The purpose behind this is not to protect the internal AD DNS from > > hijacking. But rather to allow internal clients to run DNSSEC > > related queries without having to reference external resolvers. > > > > dig +dnssec somedomain > > > > I have documented the steps to enable DNSSEC validation on Windows > 2012 in my Blog: > <http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns> > > Keep in mind that DNSSEC requires that the authoritative and the > resolving/caching DNS servers to be separate. > > Clients will not see the AD-Flag (Authenticated Data) for a zone that > is hosted on the same DNS Server you've sending a recursive query to. > Applications that depend on the AD flag will fail in this scenario. It requires a little more configuration but they can see the AD flag. Two views: view 1. match-recursive-only yes; + static stubs zones pointing at 127.0.0.1 for the local zones + dnssec configured and enabled. view 2. normal authoritative only view. > This is a change for many people in the Windows AD world, as often the > Windows DNS server is used as both authoritative and resolving at the > same time. > > So a hybrid (both authoritative and caching/resolving) DNS Server can > DNSSEC validate all domains except the domains it hosts itself (which > are in case of AD the internal AD domains). This is true for BIND as > well as for Windows 2012 DNS. > > The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is > no issue having BIND resolvers in an AD environment. It is however > simpler to have the AD authoritative DNS Servers on Windows Server OS. > > Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks > support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled. > > - -- Carsten > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo > JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB > =gK1h > -----END PGP SIGNATURE----- > _______________________________________________ > Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
