Hi community, we have tow DCs there works under domain babis.local We are using unbound on our firewall for the interfaces as default DNS-Server. Unbound is activated and has an overwrite from our AD-Domain babis.local to the DCs. When DNSSEC is disabled on unbound, DNS-Queries to dc works perfect. When DNSSEC is activated on unbound, DNS-Queries will be send to root DNS-Servers and i got NXDOMAIN. Does Samba supports DNSSEC? What needs to be configure? I don?t found an article in the wiki. kind regards Oliver
On 10/07/2019 14:46, Oliver Werner via samba wrote:> Hi community, > > we have tow DCs there works under domain babis.local > > We are using unbound on our firewall for the interfaces as default DNS-Server. > Unbound is activated and has an overwrite from our AD-Domain babis.local to the DCs.This sounds like the firewall is authoritative for the AD DNS domain, if it is, it shouldn't be> > When DNSSEC is disabled on unbound, DNS-Queries to dc works perfect.I think that answers your question.> When DNSSEC is activated on unbound, DNS-Queries will be send to root DNS-Servers and i got NXDOMAIN.No, your AD domain queries should be forwarded to a DC.> > Does Samba supports DNSSEC?Not that I am aware off, but then it shouldn't be used internally.> What needs to be configure? I don?t found an article in the wiki.Your setup needs to be configured correctly, your clients should use the dns server on the firewall as a caching/forwarding dns server, forwarding your AD dns domain queries to the DNS servers running on the DC's. Rowland
Am 10.07.19 um 16:11 schrieb Rowland penny via samba:> On 10/07/2019 14:46, Oliver Werner via samba wrote: >> Hi community, >> >> we have tow DCs there works under domain babis.local >> >> We are using unbound on our firewall for the interfaces as default >> DNS-Server. >> Unbound is activated and has an overwrite from our AD-Domain >> babis.local to the DCs. > This sounds like the firewall is authoritative for the AD DNS domain, if > it is, it shouldn't beunbound by definition can't be authoritative as it's a caching only resolver just doing recursion or forwarding stub zones and has no concept of hosting zones itself>> Does Samba supports DNSSEC? > Not that I am aware off, but then it shouldn't be used internally. >> What needs to be configure? I don?t found an article in the wiki. > > Your setup needs to be configured correctly, your clients should use the > dns server on the firewall as a caching/forwarding dns server, > forwarding your AD dns domain queries to the DNS servers running on the > DC'sstub-zone: name: "example.com." stub-addr: ad-host at 53