[Dnssec-deployment] DNSSEC Launched Today by EDUCAUSE and VeriSign

Rob Austein sra at isc.org
Tue Aug 3 12:01:18 EDT 2010

At Mon, 2 Aug 2010 13:53:51 -0500, Jeffrey Ollie wrote:
> One thing that may hold up adoption at .edus is the fact that
> Microsoft's DNS server only has minimal DNSSEC support (probably just
> enough to keep from being disqualified from government/military
> contracts).   While that's probably not a problem for larger
> educational institutions it's going to be an issue for some.  In my
> case, we use Microsoft's DNS server internally to support Active
> Directory, but are using BIND on a Linux box externally for security
> boxes.  I need to figure out how to reconcile the two different sides
> so that everything is working smoothly.

At least in theory, the combination of BIND 9.7 and Samba 4 might help
here, although probably not immediately.  As I understand it, Samba 4
has much better support for Active Directory than previous releases,
including at least some support for the GSS-TSIG code in recent
versions of BIND9[*].  Again in theory, if one were to combine this
with BIND 9 autosigning, one might get something that looked close
enough to Active Directory to make the Windows universe happy while
also supporting DNSSEC.

The caveat is that I'm pretty sure that Samba 4 is not yet production
code (currently alpha, if I read the doc correctly), and is still in
flux...but that makes this an excellent time for people with problems
in this space to test it out and let the Samba people know whether
they've gotten it right.

[*] For those fortunate enough not to have needed to know: GSS-TSIG is
    necessary but not sufficient for the full glory (if that's the
    word) that is Active Directory.  One can run AD in some kind of
    low-security mode without it, but AD is designed to authenticate
    using Kerberos, which for DNS means GSS-TSIG.  Similarly, one can
    run BIND9's GSS-TSIG without Samba and interoperate with Windows,
    but it's painful, and may not match a Windows user's expectations,
    because BIND9 only implements the GSS-TSIG authentication, not
    AD's LDAP authorization framework.  The Samba people are trying to
    fill this gap.

More information about the Dnssec-deployment mailing list