Windows DNSSEC Status

1. Windows DNSSEC Status • Windows Server® 2008 R2 provides support for DNSSEC • Recommend: Start learning today ! • Designed to secure internal DNS static zones, and be a DNSSEC NSEC SHA1 validator for Internet DNSSEC • But Internet DNS deployed root NSEC RSA SHA256, and TLDs used NSEC3 with RSA SHA1, so Windows Server® 2008 R2 DNS Server can’t validate Internet DNSSEC • Windows Server® 2008 R2 can remain as DNSSEC validator for internal static zones • Need 3rd party validating resolver to handle Internet DNS validation • Windows® 7 DNS client can be “DNSSEC aware”, but does not support client validation • Designed to make sure internal domain DNS namespace is validated, not Internet • Name Resolution Policy Table (NRPT) specifies suffix that requires validation from DNS server • Can exempt Internet resolvable “internal” names used for split DNS, e.g. email.corp.contoso.com • For mobile clients, don’t use NRPT to enforce DNSSEC validation for public DNS zones e.g. www.socialsecurity.gov – if not behind DNSSEC validating resolver, query will fail & access blocked • Windows® 7 DNS client APIs do not expose DNSSEC details • Model is that Internet validation is by ISP caching resolver, so app-transparent • Windows® 7 nslookup tool – own DNS client, not DNSSec aware, use Netmon for tshoot • Client tools: dig 9.6.1 distrib with BIND, QTools validator from DHS/Sparta, Netmon 3.4 • Caution: DNSSEC-aware applications likely providing a separate DNS client within the app. Will likely run into deployment and performance issues