none
DNSSEC Validation Disable checking for internal zones using NRPT RRS feed

  • Question

  • Hi All

    We're looking at enabling DNSSEC validation on our Server 2012 DNS servers and we have ran in to a problem with internal zones.

    We have a multi-domain, multi-forest environment with a resource forest for shared services. Our resource forest DNS servers handle conditional forwarding for our internal domains and unconditionally forwarding to our ISP for external resolution. Due to legacy reasons some of our internal domains are .local which is problematic for DNSSEC. 

    We implemented NRPT policies to disable DNSSEC validation for our iternal domains and then added the .root trusted anchor DNSKEY to our resource forest DNS servers to enable DNSSEC validation for external DNS resolution. However as soon as we implemented this it broke conditional forwarding for our internal domains.

    Upon investigation and using DIG, it appears that even though we have configured NRPT policies to disable DNSSEC validation for our internal domains, the CD flag on the DNS query is not set resulting in the DNS Recursive server responding with SERVFAIL.

    If we use Dig with +cdflag the DNS Recursive server responds with the correct response and NOERROR.

    My question is two fold, why doesn't NRPT policies set the CD flag when DNSSEC Validation is set to false and is there any way that we can configure windows to set the CD flag for resolving specific domains?

    I know we can add additional DNS servers to perform external resolution and DNSSEC validation so that the internal conditional forwarding isn't impacted by this, but I would prefer not to have to introduce more servers if I can help it.


    Kriss Milne | MCSE | https://blog.krissmilne.tech | Twitter | LinkedIn


    • Edited by Kriss Milne Thursday, October 19, 2017 7:04 AM
    Thursday, October 19, 2017 7:03 AM

All replies

  • Hi,

    Thank you for your question. 

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.
    Thank you for your understanding and support.

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, October 20, 2017 7:46 AM
  • Hi,

    1. In my test environment , there are no contents of CDflag in the DNS server.
    2. Which environment is Dig cdflag configure?  The Linux environment, or the windows environment ?
    3. Could you please tell us about the process of configuring CDflag?
    4. Please check CDflag in your registry if it exists.

    Best Regards,

    Frank


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Thursday, October 26, 2017 5:14 AM
  • Hi,
    Thanks for your updating and sharing.
    Best Regards,
    Frank

    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, October 31, 2017 8:37 AM