I'm excited that I finally get to talk about what the DNS team has been working on for over a year. That's right - DNSSEC. It's in Windows, and it's on its way.
DNSSEC is a suite of security extensions to the DNS which provide origin authority, data intergity and authenticated denial of existance. Putting that in plain English, DNSSEC allows for a DNS zone to be cryptographically signed (which produces digital signatures), and provides a mechanism for validating the authenticity of the data received using these digital signatures. Validating resolvers and servers must be pre-configured with a Trust Anchor, using which a "chain of trust" will be established to the signed zone. Data from this signed zone can then be validated.
The new and improved DNSSEC RFCs were published in 2005, and since then DNSSEC has seen a steady growth in attention. However this year, things took a much more dramatic turn mainly because of the vulnerabilities that were revealed at BlackHat by researcher Dan Kaminsky. More and more people are showing interest in DNSSEC as a good solution to lock down their DNS infrastructures.
Well, the timing is just perfect. Windows Server 2008 R2 DNS server will offer support for DNSSEC as per these new RFCs. The DNS server is now capable of generating keys and signing DNS zones using a sign-tool that we are providing with the product. The server will also be able to host these signed zones either as a primary or secondary zone, or as an Active Directory-integrated zone. Once configured with a Trust Anchor, the server will be able to perform full validation of data obtained from other signed zones.
On the DNS client, we have implemented a non-validating security-aware stub resolver. Doesn't roll off the tongue very easily, does it [:)]? Breaking it down, all this means is that the DNS client relies on its local DNS server to perform DNSSEC validation and will check to make sure that the server has indeed done so.
Pre-Beta builds of Windows are already available to those who attened the Professional Developers's Conference in LA that ended today. I would strongly encourage those of you who do have Windows 7 to test out DNSSEC and tell us what you think about it.
Over the next few days, I will blog more about what is and isn't in the product, so stay tuned!
Congratulations. I'll hope that your implementation works as expected.
Any support for BIND-like wildcard support and recursion ACL?
Having been both an Admin of a large AD installation and also deployed DNSSEC on the reverse tree for the RIPE NCC, this is very interesting and exciting, hope it all comes together in Windows 7, I'll look forward to getting it up and running.
Re - anonymous' comment - yes, MS DNS does support wildcards. I'm not sure what you mean by recursion ACLs - could you explain?
Thanks Brett! What has your experience with DNSSEC been like so far?
So I downloaded the 2008 R2 beta.
How do I sign (DNSSEC) a zone?
Can't find any menu options or external tools...
The DNSSEC deployment guide (Beta) is here:
Instructions on how to perform key generation and signing of zones can be found in there.
I have a 2003 AD/DNS configuration. I am also running Windows 7. The other day I made some changes to my 2003 DNS from my W7 client and about three hours later Operations Manager started sending alerts out because of configuration issues with trust anchors. I logged into the DNS server and I noticed that a new zone had been created called Trust Anchors. Did my W7 client auto create this zone when I managed the DNS settings? Should this have caused OpsMgr to send out errors (or is something wrong w/ my DNS setup that was only brought to light after this zone was created?). Any comments/suggestions are appreciated. Thanks.
Hmm...very interesting. Your DNS servers are 2003? Trust Anchors is only supported in 2008 R2 and shouldn't show up in 2003.
You can grab my email address from this blog. Feel free to email me with more details if you have them and we'd be happy to take a look here.
I just noticed the same thing in my Server 2003 DNS, there is now a TrustAnchors zone with all my Domain controllers listed. One or two of my admins were using Windows 7 for a while. I assume Windows 7 comes with Server 2008 Admin tools? So would editing a 2003 server with these tools create the zone? Will it cause any problems? I have searched online for a while and this was the first mention of the issue I could find. Thanks.
Is it possible to set "allow-recursion" ACL like BIND to disallow recursive queries on source IPs that don't match the ACL?
Is there any way to add a trust anchor to allow security-aware queries against the signed root zone?