[prev in list] [next in list] [prev in thread] [next in thread]
List: bind-users
Subject: Re: DNSSEC and MS AD
From: Peter Andreev <andreev.peter () gmail ! com>
Date: 2011-08-10 7:19:37
Message-ID: CAE_wXn2QBPTv2Ua8KMzNZtYDYNmqNAhQWTP713VnFMyJN_xnkA () mail ! gmail ! com
[Download RAW message or body]
2011/8/9 Chris Buxton <chris.p.buxton@gmail.com>:
> On Aug 9, 2011, at 10:07 AM, John Williams wrote:
>
> > --- On Tue, 8/9/11, Chris Buxton <chris.p.buxton@gmail.com> wrote:
> >
> > > With a private version of a domain, you should not need to
> > > worry about a DS record in the parent. Just make sure your
> > > internal caching servers not only can find the internal
> > > version of your domain, but also can validate the signatures
> > > therein, most likely using a trusted or managed key specific
> > > to that internal domain.
> > >
> > > I'll not try to get into the specifics of using MS DNS for
> > > this purpose because this is not the right forum.
> > >
> > > Regards,
> > > Chris Buxton
> > > BlueCat Networks
> >
> > Based on your response, I'm wondering how an application such as Exchange (SMTP, \
> > which clearly relies on DNS) will work in this model. Are there there any \
> > affects of the parent domain (.com, .net, whatever...) not having the DS records? \
> > for the domain?
>
> I don't follow your reasoning.
>
> For SMTP, the DNS-related operation is in looking up the MX and A/AAAA records of \
> other mail servers based on an outgoing message. If you're worried about other mail \
> servers finding your Exchange server, there are two cases:
> - External. My comments had nothing to do with external (Internet-facing) DNS \
> records. There, you would want to have DS records put into the parent zone to be \
> able to authenticate the link from parent to child.
> - Internal. If you're using MX records internally, you're either very large or \
> misguided. If you are large enough to warrant this, then your caching servers \
> should be able to follow your internal chain of trust, starting at a private trust \
> anchor. This is the point I was getting at.
> The use of internal, private namespace should be entirely transparent to any \
> service other than DNS. Your mail server should not need to know about it, and \
> should not be able to detect it (other than watching for private address space and \
> obviously-private domain names like "corp.dom").
As I understood from there -
http://technet.microsoft.com/en-us/library/ee649277(WS.10).aspx -
Chris' scenario should work. But I doubt that it is reasonable to use
DNSSEC for internal domain and, moreover, with such limitations.
>
> Chris Buxton
> BlueCat Networks
> _______________________________________________
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
> this list
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
--
--
AP
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from \
this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic