BIND9 TSIG from Windows Server 2016 DNS Server Zone

[Mirsad Goran Todorovac]

Dear all,

I have a zone local.grf.hr administered by AD, DHCP and DDNS ran by 
Windows Server 2016
(not by my architectural choice). However, since Windows Server 2016 had 
round-robin
strategy of inquiring the forwarders, it performed worse than BIND9 on 
old Debian server.

So, I had the BIND9 as the secondary server ("slave" is somewhat 
politically incorrect) and I
wanted to secure transactions with TSIG HMAC-SHA256 or stronger, as 
between Debian
BIND9 servers.

I've been Googling around, and they say it cannot be done, because 
Windows Server uses
special proprietary GSS-TSIG. The article was for an earlier version of WS.

Has there been some improvement in the meantime?

We are thinking about moving DHCP server to Linux, but it is a huge job 
to convert the
reservations, so it may not be done in the next couple of months.

I would like to secure DNS xfers from zone poisoning in the meantime, 
considering the recent
surge of cyber attacks since the recent war started, and our country 
voted support for the
defending party.

Frankly, I am not in deep with Microsoft DNS, and I guess there can be 
some tweaking with
the PowerShell, and maybe even some undocumented features, but right now 
I am presented
with a problem I can't seem to solve because it is not an open system.

Thanks for any help.

Kind regards,
Mirsad Todorovac

--
Mirsad Goran Todorovac
CARNet sistem inženjer
Grafički fakultet | Akademija likovnih umjetnosti
Sveučilište u Zagrebu
-- 
CARNet system engineer
Faculty of Graphic Arts | Academy of Fine Arts
University of Zagreb, Republic of Croatia
tel. +385 (0)1 3711 451
mob. +385 91 57 88 355