This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DNSSEC, need digest of UTM to add trust anchor

I'm trying to enable DNSSEC on my network.  I have Cloudflare -> Sophos UTM -> Windows AD.

Windows AD is in request routing from the UTM.

Windows machines have to use the AD servers for DNS, which point to UTM, which point to Cloudflare.

 

The problem I have is how do I configure the Windows 2016 DNS to trust UTM as a DS trust anchor?  It is asking for the UTM digest and key tag, which I cannot find anywhere.

For Cloudflare it is right there on the dashboard, no problem. Without it, how can I make the chain work?



This thread was automatically locked due to age.
Parents
  • If you already have DNSSEC selected on the 'Global' tab of DNS and all of the Forwarders are DNSSEC capable, this may be a question that might find an answer in a Windows 2016 forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I think I need to rephrase the question.  I'm not asking anything about Windows.

    I'm asking for information from Sophos UTM.

    When I enable DNSSEC with request routing, all internal dns resolution goes down.  Everything fails.  The UTM request routing cannot reach the internal DNS servers.

    All internal DNS servers are now bypassing UTM and going outside for DNS.  I had to disable DNSSEC to get the LAN back.

    With Sophos DNSSEC on, all users lose internal address resolution.  Turn it off, and the network comes back up in about 10 seconds.

  • I am hoping that Sophos Support can help you, and that you can share the solution.   I am thinking about enabling the feature, but afraid of what I don't know.   I have the impression that the feature is not widely utilized.

    Is your internal domain same or different from your external domain?  (e.g. *.local inside and *.com outside, or *.com on both sides of the firewall?)  I think it gets trickier if the internal and external domains match.

    Are you enabling DNS SEC on your external domain, or are you simply trying to use DNS SEC published by others?  Obviously, it should be easier to use others DNS SEC information first.

  • DouglasFoster said:

    I am hoping that Sophos Support can help you, and that you can share the solution.   I am thinking about enabling the feature, but afraid of what I don't know.   I have the impression that the feature is not widely utilized.

    Agree, and got this statement from a consultant too.

    DouglasFoster said:

    Are you enabling DNS SEC on your external domain, or are you simply trying to use DNS SEC published by others?  Obviously, it should be easier to use others DNS SEC information first.

     

     
    Being in the same stage of progress at the moment. Means try to use others DNS SEC information. Got a ticket with Sophos open, because resolution of internal hosts via AD DNS is broken. At the moment ticket is escalated to second level. Will see if I could finish this.
    In the community here is not very much about this. Maybe we'll get to a result this time :-)
     
    Best regards
    Alex

    -

Reply
  • DouglasFoster said:

    I am hoping that Sophos Support can help you, and that you can share the solution.   I am thinking about enabling the feature, but afraid of what I don't know.   I have the impression that the feature is not widely utilized.

    Agree, and got this statement from a consultant too.

    DouglasFoster said:

    Are you enabling DNS SEC on your external domain, or are you simply trying to use DNS SEC published by others?  Obviously, it should be easier to use others DNS SEC information first.

     

     
    Being in the same stage of progress at the moment. Means try to use others DNS SEC information. Got a ticket with Sophos open, because resolution of internal hosts via AD DNS is broken. At the moment ticket is escalated to second level. Will see if I could finish this.
    In the community here is not very much about this. Maybe we'll get to a result this time :-)
     
    Best regards
    Alex

    -

Children
No Data