[Samba] Samba and DNSSEC?
Rowland Penny
rpenny at samba.org
Thu Jan 16 10:45:03 UTC 2025
On Thu, 16 Jan 2025 09:28:45 +0100
Joachim Lindenberg via samba <samba at lists.samba.org> wrote:
> There are occasional questions on DNSSEC support:
>
> https://lists.samba.org/archive/samba/2013-September/175620.html
>
> https://lists.samba.org/archive/samba/2015-September/194351.html
>
> https://lists.samba.org/archive/samba/2019-July/224293.html
>
> https://lists.samba.org/archive/samba/2023-December/247518.html
>
> But I haven´t noticed any definite answer nor any documentation on
> Wiki.
>
What, you didn't notice that Samba doesn't support the use of dnssec ?
>
>
> My understanding is, that bind would be able to sign any static
> content,
Yes, bind can sign dns records.
> however samba essentially serves content from the database
> unsigned, no matter which backend configuration (SAMBA_INTERNAL or
> BIND9_DLZ) is used.
Correct, Samba has no code to sign dns records.
> DNSSEC could probably be added via an additional
> DNS-Server that uses Samba „upstream“ and signs responses from Samba
> only.
The problem with that is, the DCs have to be be authoritative for the
active directory dns domain and any 'upstream' dns server will not be,
sort of defeats the idea of domain security in my opinion.
It must be possible to get Samba AD to use dnssec, Windows does it, it
just needs someone to write the code.
Rowland
More information about the samba
mailing list