Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
BIND, DNSSEC & AD
277 views
Skip to first unread message
John Williams
Jun 28, 2012, 4:34:40 PM6/28/12
to bind-...@lists.isc.org
I have an environment that hosts a BIND based internet facing domain, call it abc.com. I also have an internal Active Directory instance that hosts a MS based DNS instance called abc.com as well. Everything works fine until we decided to implement DNSSEC on Active Directory.
Here is my question, is it possible to integrate the two domains? Can I import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method? Is there better method? I don't want to have AD DNS be my forward (Internet) facing application.
Thanks.
JT
Here is my question, is it possible to integrate the two domains? Can I import the BIND DNSSEC keys into MS AD and build DNSSEC into AD using that method? Is there better method? I don't want to have AD DNS be my forward (Internet) facing application.
Thanks.
JT
Marc Lampo
Jun 29, 2012, 3:07:46 AM6/29/12
to John Williams, bind-...@lists.isc.org
Hello,
(not a Bind related question !)
Last time I looked at Microsoft documentation I remember having seen that DNSSEC is for static files only,
*not* for “Active Directory integrated” domains !
If that is still true, I think the question about importing keys is irrelevant …
You would be needing Bind – from 9.7 onwards – for the DNS servers of the AD domains.
Bind can do the trick (DNSSEC + dynamic updating).
It would be sufficient to share the KSK, ZSK’s can be separate (as they are signed by the then shared KSK).
But is the an internal AD domain really an plausible attack vector for hackers ?
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
Carsten Strotmann
Jun 29, 2012, 8:01:55 AM6/29/12
to john...@yahoo.com, car...@menandmice.com, bind-...@lists.isc.org
Hello JT,
I'm currently working on integrating MS DNSSEC (on Windows 2012) and
BIND here @ Men & Mice for another customer.
I might have a solution for you, but I need more detail information about
your setup. I will contact you by E-Mail on Monday (I hope that is not too
late).
-- Carsten Strotmann
I'm currently working on integrating MS DNSSEC (on Windows 2012) and
BIND here @ Men & Mice for another customer.
I might have a solution for you, but I need more detail information about
your setup. I will contact you by E-Mail on Monday (I hope that is not too
late).
-- Carsten Strotmann
John Williams
Jun 29, 2012, 10:52:52 AM6/29/12
to Marc Lampo, bind-...@lists.isc.org
The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to run DNSSEC related queries without having to reference external resolvers.
dig +dnssec somedomain
By the way, integrating BIND into AD will not be permitted. The AD staff will not allow that. That would be ideal though.
Thanks,
JT
From: Marc Lampo <marc....@eurid.eu>
To: 'John Williams' <john...@yahoo.com>; bind-...@lists.isc.org
Sent: Friday, June 29, 2012 3:07 AM
Subject: RE: BIND, DNSSEC & AD
Carsten Strotmann (private)
Jun 30, 2012, 6:18:45 AM6/30/12
to bind-...@lists.isc.org
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hello John,
On 6/29/12 4:52 PM, John Williams wrote:
> The purpose behind this is not to protect the internal AD DNS from
> hijacking. But rather to allow internal clients to run DNSSEC
> related queries without having to reference external resolvers.
>
> dig +dnssec somedomain
>
I have documented the steps to enable DNSSEC validation on Windows
2012 in my Blog:
<http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns>
Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.
Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.
This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.
So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.
The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.
Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
- -- Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
=gK1h
-----END PGP SIGNATURE-----
Hash: SHA1
Hello John,
On 6/29/12 4:52 PM, John Williams wrote:
> The purpose behind this is not to protect the internal AD DNS from
> hijacking. But rather to allow internal clients to run DNSSEC
> related queries without having to reference external resolvers.
>
> dig +dnssec somedomain
>
2012 in my Blog:
<http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns>
Keep in mind that DNSSEC requires that the authoritative and the
resolving/caching DNS servers to be separate.
Clients will not see the AD-Flag (Authenticated Data) for a zone that
is hosted on the same DNS Server you've sending a recursive query to.
Applications that depend on the AD flag will fail in this scenario.
This is a change for many people in the Windows AD world, as often the
Windows DNS server is used as both authoritative and resolving at the
same time.
So a hybrid (both authoritative and caching/resolving) DNS Server can
DNSSEC validate all domains except the domains it hosts itself (which
are in case of AD the internal AD domains). This is true for BIND as
well as for Windows 2012 DNS.
The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
no issue having BIND resolvers in an AD environment. It is however
simpler to have the AD authoritative DNS Servers on Windows Server OS.
Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
- -- Carsten
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
=gK1h
-----END PGP SIGNATURE-----
Mark Andrews
Jun 30, 2012, 8:52:31 PM6/30/12
to Carsten Strotmann (private), bind-...@isc.org
If you don't want to run named on Windows, it supports dynamic updates with
GSS-TSIG + DNSSEC.
In message <4FEED285...@strotmann.de>, "Carsten Strotmann (private)" writes:
> Hello John,
>
> On 6/29/12 4:52 PM, John Williams wrote:
> > The purpose behind this is not to protect the internal AD DNS from
> > hijacking. But rather to allow internal clients to run DNSSEC
> > related queries without having to reference external resolvers.
> >
> > dig +dnssec somedomain
> >
>
> I have documented the steps to enable DNSSEC validation on Windows
> 2012 in my Blog:
> <http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns>
>
> Keep in mind that DNSSEC requires that the authoritative and the
> resolving/caching DNS servers to be separate.
>
> Clients will not see the AD-Flag (Authenticated Data) for a zone that
> is hosted on the same DNS Server you've sending a recursive query to.
> Applications that depend on the AD flag will fail in this scenario.
Two views:
view 1. match-recursive-only yes; + static stubs zones pointing at
127.0.0.1 for the local zones + dnssec configured and enabled.
view 2. normal authoritative only view.
> This is a change for many people in the Windows AD world, as often the
> Windows DNS server is used as both authoritative and resolving at the
> same time.
>
> So a hybrid (both authoritative and caching/resolving) DNS Server can
> DNSSEC validate all domains except the domains it hosts itself (which
> are in case of AD the internal AD domains). This is true for BIND as
> well as for Windows 2012 DNS.
>
> The resolving DNS Servers can be Windows 2012 or BIND 9.6+. There is
> no issue having BIND resolvers in an AD environment. It is however
> simpler to have the AD authoritative DNS Servers on Windows Server OS.
>
> Windows 2008R2 cannot validate the DNSSEC in the Internet, as is lacks
> support for NSEC3 and SHA256. But Windows 2012 is now full DNSSEC enabled.
>
> - -- Carsten
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk/u0oUACgkQsUJ3c+pomYEaDgCgoLx/K10NVFxW671qy6sQQebo
> JMQAn17H7Rf8EJpTA24znwdrEJH/iCzB
> =gK1h
> -----END PGP SIGNATURE-----
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
>
> bind-users mailing list
> bind-...@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
Marc Lampo
Jul 2, 2012, 2:32:02 AM7/2/12
to John Williams, bind-...@lists.isc.org
Hello,
Yes, would be ideal …
I understand you want to make the Windows DNS service “DNSSEC capable”
(by feeding it KSK’s of domains that have the same name internally as externally).
However :
you are aware that Windows DNS service understands DNSSEC algorithm 5 (RSA/SHA-1 – NSEC) at most ?
à since the root zone is already algo 8 (RSA/SHA-256)
à since most tld’s are 7 or 8 and most with NSEC3
the Windows DNS service is going to treat most of DNSSEC’d name space as “unsigned” anyway …
(another argument to switch to Bind, internally ?)
Kind regards,
Marc Lampo
Security Officer
EURid (for .eu)
From: John Williams [mailto:john...@yahoo.com]
Sent: 29 June 2012 04:53 PM
To: Marc Lampo; bind-...@lists.isc.org
Subject: Re: BIND, DNSSEC & AD
The purpose behind this is not to protect the internal AD DNS from hijacking. But rather to allow internal clients to run DNSSEC related queries without having to reference external resolvers.
dig +dnssec somedomain
By the way, integrating BIND into AD will not be permitted. The AD staff will not allow that. That would be ideal though.
Tony Finch
Jul 2, 2012, 11:10:51 AM7/2/12
to Marc Lampo, bind-...@lists.isc.org
Marc Lampo <marc....@eurid.eu> wrote:
>
> you are aware that Windows DNS service understands DNSSEC algorithm 5
> (RSA/SHA-1 – NSEC) at most ?
Carsten Strotmann's post says Windows Server 2012 fixes this limitation
>
> you are aware that Windows DNS service understands DNSSEC algorithm 5
> (RSA/SHA-1 – NSEC) at most ?
http://strotmann.de/roller/dnsworkshop/entry/dnssec_validation_in_microsoft_dns
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/
Viking, North Utsire, South Utsire: Southwesterly, backing southeasterly 4 or
5, occasionally 6 at first in Viking. Moderate. Rain or showers. Moderate or
good.
John Williams
Jul 3, 2012, 2:56:24 PM7/3/12
to Tony Finch, Marc Lampo, bind-...@lists.isc.org
Thanks to all that replied. I think the solution I want to pursue is to integrate AD 2012 DNS with BIND. Talk about bleeding edge huh??
From: Tony Finch <d...@dotat.at>
To: Marc Lampo <marc....@eurid.eu>
Cc: John Williams <john...@yahoo.com>; bind-...@lists.isc.org
Sent: Monday, July 2, 2012 11:10 AM
Subject: RE: BIND, DNSSEC & AD
0 new messages