>> Does Samba supports DNSSEC? >Not that I am aware off, but then it shouldn't be used internally.Imho Samba should support DNSSEC (or clarify bind can be used to sign Samba managed zones consistently). There is a clear tendency to move validating resolvers like Unbound to clients and in the long run nobody wants to maintain exceptions on all clients (think about mobile phones) and there is also no evidence that attackers are blocked by firewalls rather than being internal. I know that Microsoft some years ago published a recommendation to use IPSEC to protect the "last mile", but I am not aware of anyone really doing that. Joachim