If you don't want to run named on Windows, it supports dynamic updates with
GSS-TSIG + DNSSEC.
In message 4feed285.7060...@strotmann.de, Carsten Strotmann (private)
writes:
Hello John,
On 6/29/12 4:52 PM, John Williams wrote:
The purpose behind this is not to protect the internal AD DNS from
hijacking. But rather to allow internal clients to run DNSSEC
related queries without having to reference external resolvers.
dig +dnssec somedomain
I have documented the steps to enable DNSSEC validation on Windows
2012 in my Blog:
http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns
Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.
Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.
It requires a little more configuration but they can see the AD flag.
Two views:
view 1. match-recursive-only yes; + static stubs zones pointing at
127.0.0.1 for the local zones + dnssec configured and enabled.
view 2. normal authoritative only view.
This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.
So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.
The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.
Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
- -- Carsten
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
=gK1h
-END PGP SIGNATURE-
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users