Re: BIND, DNSSEC & AD

2012-07-03 Thread John Williams
Subject: RE: BIND, DNSSEC & AD Marc Lampo wrote: > > you are aware that Windows DNS service understands DNSSEC algorithm 5 > (RSA/SHA-1 – NSEC) at most ? Carsten Strotmann's post says Windows Server 2012 fixes this limitation http://strotmann.de/roller

RE: BIND, DNSSEC & AD

2012-07-02 Thread Tony Finch
Marc Lampo wrote: > > you are aware that Windows DNS service understands DNSSEC algorithm 5 > (RSA/SHA-1 – NSEC) at most ? Carsten Strotmann's post says Windows Server 2012 fixes this limitation http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns Tony. -- f.anthony.n

RE: BIND, DNSSEC & AD

2012-07-01 Thread Marc Lampo
Officer EURid (for .eu) From: John Williams [mailto:john.1...@yahoo.com] Sent: 29 June 2012 04:53 PM To: Marc Lampo; bind-users@lists.isc.org Subject: Re: BIND, DNSSEC & AD The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to

Re: BIND, DNSSEC & AD

2012-06-30 Thread Mark Andrews
If you don't want to run named on Windows, it supports dynamic updates with GSS-TSIG + DNSSEC. In message <4feed285.7060...@strotmann.de>, "Carsten Strotmann (private)" writes: > Hello John, > > On 6/29/12 4:52 PM, John Williams wrote: > > The purpose behind this is not to protect the internal

Re: BIND, DNSSEC & AD

2012-06-30 Thread Carsten Strotmann (private)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Hello John, On 6/29/12 4:52 PM, John Williams wrote: > The purpose behind this is not to protect the internal AD DNS from > hijacking. But rather to allow internal clients to run DNSSEC > related queries without having to reference external resolver

Re: BIND, DNSSEC & AD

2012-06-29 Thread John Williams
will not allow that.  That would be ideal though. Thanks, JT From: Marc Lampo To: 'John Williams' ; bind-users@lists.isc.org Sent: Friday, June 29, 2012 3:07 AM Subject: RE: BIND, DNSSEC & AD Hello,   (not a Bind related question !)   Last ti

BIND, DNSSEC & AD

2012-06-29 Thread Carsten Strotmann
Hello JT, I'm currently working on integrating MS DNSSEC (on Windows 2012) and BIND here @ Men & Mice for another customer. I might have a solution for you, but I need more detail information about your setup. I will contact you by E-Mail on Monday (I hope that is not too late). -- Carsten

RE: BIND, DNSSEC & AD

2012-06-29 Thread Marc Lampo
lausible attack vector for hackers ? Kind regards, Marc Lampo Security Officer EURid (for .eu) From: John Williams [mailto:john.1...@yahoo.com] Sent: 28 June 2012 10:35 PM To: bind-users@lists.isc.org Subject: BIND, DNSSEC & AD I have an environment that hosts a BIND based int

BIND, DNSSEC & AD

2012-06-28 Thread John Williams
I have an environment that hosts a BIND based internet facing domain, call it abc.com.  I also have an internal Active Directory instance that hosts a MS based DNS instance called abc.com as well.  Everything works fine until we decided to implement DNSSEC on Active Directory. Here is my questi