[Samba] Samba and DNSSEC

Rowland penny rpenny at samba.org
Wed Jul 10 14:11:15 UTC 2019

On 10/07/2019 14:46, Oliver Werner via samba wrote:
> Hi community,
> we have tow DCs there works under domain babis.local
> We are using unbound on our firewall for the interfaces as default DNS-Server.
> Unbound is activated and has an overwrite from our AD-Domain babis.local to the DCs.
This sounds like the firewall is authoritative for the AD DNS domain, if 
it is, it shouldn't be
> When DNSSEC is disabled on unbound, DNS-Queries to dc works perfect.
I think that answers your question.
> When DNSSEC is activated on unbound, DNS-Queries will be send to root DNS-Servers and i got NXDOMAIN.
No, your AD domain queries should be forwarded to a DC.
> Does Samba supports DNSSEC?
Not that I am aware off, but then it shouldn't be used internally.
> What needs to be configure? I don’t found an article in the wiki.

Your setup needs to be configured correctly, your clients should use the 
dns server on the firewall as a caching/forwarding dns server, 
forwarding your AD dns domain queries to the DNS servers running on the 


More information about the samba mailing list