Re: BIND, DNSSEC AD

[Carsten Strotmann (private)]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello John,

On 6/29/12 4:52 PM, John Williams wrote:
 The purpose behind this is not to protect the internal AD DNS from 
 hijacking.  But rather to allow internal clients to run DNSSEC
 related queries without having to reference external resolvers.
 
 dig +dnssec somedomain
 

I have documented the steps to enable DNSSEC validation on Windows
2012 in my Blog:
http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns

Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.

Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.

This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.

So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.

The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.

Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.

- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
=gK1h
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: BIND, DNSSEC AD

[Mark Andrews]

If you don't want to run named on Windows, it supports dynamic updates with
GSS-TSIG + DNSSEC.

In message 4feed285.7060...@strotmann.de, Carsten Strotmann (private) 
writes:
 Hello John,
 
 On 6/29/12 4:52 PM, John Williams wrote:
  The purpose behind this is not to protect the internal AD DNS from 
  hijacking.  But rather to allow internal clients to run DNSSEC
  related queries without having to reference external resolvers.
  
  dig +dnssec somedomain
  
 
 I have documented the steps to enable DNSSEC validation on Windows
 2012 in my Blog:
 http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns
 
 Keep in mind that DNSSEC requires that the authoritative and the
 resolving/caching DNS servers to be separate.
 
 Clients will not see the AD-Flag (Authenticated Data) for a zone that
 is hosted on the same DNS Server you've sending a recursive query to.
 Applications that depend on the AD flag will fail in this scenario.

It requires a little more configuration but they can see the AD flag.

Two views:
view 1.  match-recursive-only yes; + static stubs zones pointing at
127.0.0.1 for the local zones + dnssec configured and enabled.
view 2.  normal authoritative only view.
 
 This is a change for many people in the Windows AD world, as often the
 Windows DNS server is used as both authoritative and resolving at the
 same time.
 
 So a hybrid (both authoritative and caching/resolving) DNS Server can
 DNSSEC validate all domains except the domains it hosts itself (which
 are in case of AD the internal AD domains). This is true for BIND as
 well as for Windows 2012 DNS.
 
 The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
 no issue having BIND resolvers in an AD environment. It is however
 simpler to have the AD authoritative DNS Servers on Windows Server OS.
 
 Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
 support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
 
 - -- Carsten
 -BEGIN PGP SIGNATURE-
 Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
 Comment: GPGTools - http://gpgtools.org
 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
 
 iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
 JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
 =gK1h
 -END PGP SIGNATURE-
 ___
 Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
 from this list
 
 bind-users mailing list
 bind-users@lists.isc.org
 https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users