DNSSEC on Windows 7 DNS client

re: DNSSEC on Windows 7 DNS client

Chris — Thu, 15 Apr 2010 12:31:29 GMT

Alex C - RFC 4033 obseletes 3655.

re: DNSSEC on Windows 7 DNS client

Alex C — Mon, 18 Jan 2010 20:00:28 GMT

I'm not a microsoft fan boy, but do a little research. http://www.rfc-archive.org/getrfc.php?rfc=3655

re: DNSSEC on Windows 7 DNS client

Jay Momo — Mon, 09 Nov 2009 04:30:23 GMT

Looks like Microsoft wants to choke out GNU/Linux and Apple OSX systems from the network. There is not a chance that AD bit thing is standardized or publicly documented in any way. So, only Microsoft-authorized clients can use your Microsoft DNS/DHCP server, thus preventing any users from using any sort of non-Microsoft clients. Awesome.

re: DNSSEC on Windows 7 DNS client

Shyam Seshadri [MSFT] — Mon, 16 Feb 2009 20:46:27 GMT

It's not up to the client to "want" security for certain domains and not for certain others. It's up to the client to want it depending on whether or not the domain is signed to begin with. What I mean by that is that a TLD (such as .se, for example) can be signed, but a subdomain like shyam.se need not be signed because I may own shyam.se and I may not care about DNSSEC. In such a scenario, you as the client will have to live with the fact that there's a signed-to-unsigned delegation, and this behavior in the Windows name resolution policy allows for that.

Islands of trusts and signed-to-unsigned delgations are going to be quite common for a few years until DNSSEC is very widely adopted.

re: DNSSEC on Windows 7 DNS client

cameron — Thu, 05 Feb 2009 07:52:06 GMT

i understood it all until the point of "signed-to-unsigned delegation".

in what scenario would you not want security on subdomains? (obviously signed to unsigned delegation) but what does that actually mean? eg. real world example.

re: DNSSEC on Windows 7 DNS client

Mark Andrews — Sun, 01 Feb 2009 02:48:50 GMT

Setting AD is a better strategy for a stub resolver that is not going to perform validation itself. This is covered in dnssec-bis-updates.

4.6. Setting the AD bit on Replies

Section 3.2.3 of [RFC4035] describes under which conditions a

validating resolver should set or clear the AD bit in a response. In

order to protect legacy stub resolvers and middleboxes, validating

resolvers SHOULD only set the AD bit when a response both meets the

conditions listed in RFC 4035, section 3.2.3, and the request

contained either a set DO bit or a set AD bit.

Note that the use of the AD bit in the query was previously

undefined. This document defines it as a signal indicating that the

requester understands and is interested in the value of the AD bit in

the response. This allows a requestor to indicate that it

understands the AD bit without also requesting DNSSEC data via the DO

bit.

http://www.ietf.org/internet-drafts/draft-ietf-dnsext-dnssec-bis-updates-08.txt

» Top 10 changes to security in Windows 7 | 10 Things | TechRepublic.com

Sat, 31 Jan 2009 00:07:48 GMT

PingBack from http://blogs.techrepublic.com.com/10things/?p=488