DNSSEC deployment guide (Beta) for Windows Server 2008 R2

Comments

# jgurtz said on February 20, 2009 12:01 PM:

It's great that windows dns will, at long last, finally support dnssec!  As everyone involved in dns surely knows, it is the real way to fix the Kaminsky bug.

Unfortunately, I see in this deployment guide:

"Dynamic updates are automatically disabled on a DNSSEC-signed zone.  Windows Server 2008 R2 DNS server supports the signing of static zones only.  You must use Dnscmd.exe or DNS Manager to add more resource records to a zone and the zone must be re-signed."

Well, at least DNSSEC will be available for Internet facing zones which are normally static.  What about all these windows clients on the network which send dynamic updates?  I can't see moving all dhcp client PCs to static addressing or 100% dhcp reservations.  Pretty unmanageable for more than a handful of hosts.  One workaround I see would be clients doing dynamic updates to a DNSSEC zone on a server running BIND using the nsupdate client tool.  the Windows AD/DNS would then be a secondary to the BIND infrastructure.

Looking forward, does Microsoft intend for DNSSEC to be an "Internet only" feature and intend for clients to continue using a proprietary secure dynamic update protocol for internal windows hosts?

Will secure dynamic updates ( tsig(0) ) to DNSSEC signed zone be added in the future?

Also, command-line stuff is great, wonderful for those times when things need to be scripted in a scalable way.  Still, this is Windows after all, and a useful gui is one of the reasons why one would use Windows instead of Linux, etc...  Will there be future integration of DNSSEC key generation and zone  signing into the DNS manager snap-in?  A stop gap measure might be a simple .Net tool that automates dnscmd.exe

Thanks though, good to see progress on this front!

Leave a Comment

Name (required) 

Your URL (optional)

Comments (required) 

  

Enter Code Here: Required

Remember Me?

About sseshad