DNSSEC and MS AD

[John Williams]

--- On Tue, 8/9/11, Chris Buxton <chris.p.buxton at gmail.com> wrote:

> From: Chris Buxton <chris.p.buxton at gmail.com>
> Subject: Re: DNSSEC and MS AD
> To: "John Williams" <john.1209 at yahoo.com>
> Cc: bind-users at lists.isc.org
> Date: Tuesday, August 9, 2011, 5:00 PM
> On Aug 9, 2011, at 9:13 AM, John
> Williams wrote:
> 
> > My company (as many) run Microsoft Active Directory
> internally and we use BIND for our Internet DNS
> presence.  We have had our domain singed for some
> time.  Now I've been tasked to look into Signing our AD
> implementation.  MS has their own version of DNSSEC for
> their DNS but my question is would this work, at all?
> > 
> > My (signed) external zone running on BIND is aaa.com,
> and my internal AD domain is aaa.com as well.  I don't
> believe I can have two signatures (or DS records) for a
> child domain on the parent.  The only solution I can
> think of is import my BIND keys into Active Directory
> DNS.  I don't know if that is doable at this time.
> 
> With a private version of a domain, you should not need to
> worry about a DS record in the parent. Just make sure your
> internal caching servers not only can find the internal
> version of your domain, but also can validate the signatures
> therein, most likely using a trusted or managed key specific
> to that internal domain.
> 
> I'll not try to get into the specifics of using MS DNS for
> this purpose because this is not the right forum.
> 
> Regards,
> Chris Buxton
> BlueCat Networks

Based on your response, I'm wondering how an application such as Exchange (SMTP, which clearly relies on DNS) will work in this model.  Are there there any affects of the parent domain (.com, .net, whatever...) not having the DS records? for the domain?