DNSSEC in Windows 7
I'm excited that I finally get to talk about what the DNS team has been working on for over a year. That's right - DNSSEC. It's in Windows, and it's on its way.
DNSSEC is a suite of security extensions to the DNS which provide origin authority, data intergity and authenticated denial of existance. Putting that in plain English, DNSSEC allows for a DNS zone to be cryptographically signed (which produces digital signatures), and provides a mechanism for validating the authenticity of the data received using these digital signatures. Validating resolvers and servers must be pre-configured with a Trust Anchor, using which a "chain of trust" will be established to the signed zone. Data from this signed zone can then be validated.
The new and improved DNSSEC RFCs were published in 2005, and since then DNSSEC has seen a steady growth in attention. However this year, things took a much more dramatic turn mainly because of the vulnerabilities that were revealed at BlackHat by researcher Dan Kaminsky. More and more people are showing interest in DNSSEC as a good solution to lock down their DNS infrastructures.
Well, the timing is just perfect. Windows Server 2008 R2 DNS server will offer support for DNSSEC as per these new RFCs. The DNS server is now capable of generating keys and signing DNS zones using a sign-tool that we are providing with the product. The server will also be able to host these signed zones either as a primary or secondary zone, or as an Active Directory-integrated zone. Once configured with a Trust Anchor, the server will be able to perform full validation of data obtained from other signed zones.
On the DNS client, we have implemented a non-validating security-aware stub resolver. Doesn't roll off the tongue very easily, does it [:)]? Breaking it down, all this means is that the DNS client relies on its local DNS server to perform DNSSEC validation and will check to make sure that the server has indeed done so.
Pre-Beta builds of Windows are already available to those who attened the Professional Developers's Conference in LA that ended today. I would strongly encourage those of you who do have Windows 7 to test out DNSSEC and tell us what you think about it.
Over the next few days, I will blog more about what is and isn't in the product, so stay tuned!
Comments
Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
The DNSSEC deployment guide (Beta) is here: http://www.microsoft.com/downloads/details.aspx?FamilyID=7a005a14-f740-4689-8c43-9952b5c3d36f&DisplayLang=en Instructions on how to perform key generation and signing of zones can be found in there.Anonymous
January 01, 2003
The comment has been removedAnonymous
January 01, 2003
Thanks Brett! What has your experience with DNSSEC been like so far?Anonymous
November 03, 2008
Congratulations. I'll hope that your implementation works as expected.Anonymous
November 12, 2008
Any support for BIND-like wildcard support and recursion ACL?Anonymous
December 04, 2008
Having been both an Admin of a large AD installation and also deployed DNSSEC on the reverse tree for the RIPE NCC, this is very interesting and exciting, hope it all comes together in Windows 7, I'll look forward to getting it up and running. BrettAnonymous
January 22, 2009
So I downloaded the 2008 R2 beta. How do I sign (DNSSEC) a zone? Can't find any menu options or external tools...Anonymous
March 09, 2009
The comment has been removedAnonymous
July 26, 2009
Is it possible to set "allow-recursion" ACL like BIND to disallow recursive queries on source IPs that don't match the ACL?