Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 15 replies
  • Answers 1 answer
  • Subscribers 5 subscribers
  • Views 5148 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNSSEC, need digest of UTM to add trust anchor

Remuflon

I'm trying to enable DNSSEC on my network.  I have Cloudflare -> Sophos UTM -> Windows AD.

Windows AD is in request routing from the UTM.

Windows machines have to use the AD servers for DNS, which point to UTM, which point to Cloudflare.

 

The problem I have is how do I configure the Windows 2016 DNS to trust UTM as a DS trust anchor?  It is asking for the UTM digest and key tag, which I cannot find anywhere.

For Cloudflare it is right there on the dashboard, no problem. Without it, how can I make the chain work?



This thread was automatically locked due to age.
  • 0

    If you already have DNSSEC selected on the 'Global' tab of DNS and all of the Forwarders are DNSSEC capable, this may be a question that might find an answer in a Windows 2016 forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    I think I need to rephrase the question.  I'm not asking anything about Windows.

    I'm asking for information from Sophos UTM.

    When I enable DNSSEC with request routing, all internal dns resolution goes down.  Everything fails.  The UTM request routing cannot reach the internal DNS servers.

    All internal DNS servers are now bypassing UTM and going outside for DNS.  I had to disable DNSSEC to get the LAN back.

    With Sophos DNSSEC on, all users lose internal address resolution.  Turn it off, and the network comes back up in about 10 seconds.

  • 0 in reply to Remuflon

    I am hoping that Sophos Support can help you, and that you can share the solution.   I am thinking about enabling the feature, but afraid of what I don't know.   I have the impression that the feature is not widely utilized.

    Is your internal domain same or different from your external domain?  (e.g. *.local inside and *.com outside, or *.com on both sides of the firewall?)  I think it gets trickier if the internal and external domains match.

    Are you enabling DNS SEC on your external domain, or are you simply trying to use DNS SEC published by others?  Obviously, it should be easier to use others DNS SEC information first.

  • 0 in reply to DouglasFoster

    DouglasFoster said:

    I am hoping that Sophos Support can help you, and that you can share the solution.   I am thinking about enabling the feature, but afraid of what I don't know.   I have the impression that the feature is not widely utilized.

    Agree, and got this statement from a consultant too.

    DouglasFoster said:

    Are you enabling DNS SEC on your external domain, or are you simply trying to use DNS SEC published by others?  Obviously, it should be easier to use others DNS SEC information first.

     

     
    Being in the same stage of progress at the moment. Means try to use others DNS SEC information. Got a ticket with Sophos open, because resolution of internal hosts via AD DNS is broken. At the moment ticket is escalated to second level. Will see if I could finish this.
    In the community here is not very much about this. Maybe we'll get to a result this time :-)
     
    Best regards
    Alex

    -

  • 0 in reply to DouglasFoster

    My external domain is domain.com.  Internal is domain.local.

    My inside domain.local is active directory, and it has DNSSEC enabled and the zone is signed.

    The problem is that when DNSSEC is enabled, UTM stops talking to domain.local, saying "broken chain".

    Also, my internal domain won't query UTM for the same reason.  I've found nearly zero documentation.

  • 0 in reply to Remuflon

    I have been studying this for days now.

    It appears to me that the Sophos DNSSEC trust system ONLY works with IANA trust anchors.

    If true, then it would not be usable for your local network.  Unless I am totally misunderstanding something.

    As far as I can tell there is no way to give it your local trust anchors.

  • 0 in reply to Remuflon

    Further update.  I don't think the problem is trust anchors.

    I can logon to the UTM as root and from the command line, DNSSEC seems to work.

        dig server.domain.local +dnssec

    This returns success.  However, the dns proxy fails to work.

  • 0 in reply to Remuflon

    My internal dns zone is not signed, but I would guess a resolution by request routing should be trusted. Question is only if no signature is used or in your case with an untrusted signature too. That was my guess, but this seems not to work.

    There should be more documentation about this available.

    Thanks for posting your information so far.

    BR

    Alex

    -

  • 0 in reply to Alexander Busch

    My communication with support ended today. Support stated that it's not possible to use UTM DNSSEC without usage of DNSSEC an all resolvers. So on internal resolvers too. How to import the keys for this wasn't answered.
    So after this I would doubt that anyone is using DNSSEC productively.
    But I like to be convinced the opposite.

    Best regards

    Alex

    -

  • 0 in reply to Alexander Busch

    Alexander Busch said:

    My communication with support ended today. Support stated that it's not possible to use UTM DNSSEC without usage of DNSSEC an all resolvers. So on internal resolvers too. How to import the keys for this wasn't answered.
    So after this I would doubt that anyone is using DNSSEC productively.
    But I like to be convinced the opposite.

    Best regards

    Alex

     

     

    But I DO have DNSSEC on all resolvers.  As I stated earlier.

Unfiltered HTML