1 / 45

Deploying DNSSEC in Windows Server 2012

WSV325. Deploying DNSSEC in Windows Server 2012. Rob Kuehfus Program Manager Microsoft Corporation. Agenda. DNS Spoofing. Demo. Windows Server 2012 Cloud Optimize Your IT. Beyond Virtualization

graceland
Download Presentation

Deploying DNSSEC in Windows Server 2012

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. WSV325 Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation

  2. Agenda

  3. DNS Spoofing Demo

  4. Windows Server 2012Cloud Optimize Your IT Beyond Virtualization Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services. Modern Workstyle, Enabled Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance. The Power of Many Servers, the Simplicity of One Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation. Every App, Any Cloud WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.

  5. The Basic Idea • DNSSEC introduces 5 new record types: • Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • Next Secure 3 (NSEC3) • Using the new records resolvers build a chain of trust for any signed zone • DNS Responses include signatures and can be validated

  6. RRSIG, DNSKEY, DS Records I don’t have that information ask com root www.contoso.com I don’t have that information I’ll ask root www.contoso.com? I don’t have that information ask contoso.com com www.contoso.com? www.contoso.com? ISP www.contoso.com? www.contoso.com A No problem its 65.55.39.10 www.contoso.com RRSIG contoso.com

  7. RRSIG, DNSKEY, DS Records An RRSIG has been returned. I will validate to see if this is correct root Compute hash www.contoso.com A Hash Decrypt with DNSKEY(ZSK) www.contoso.com RRSIG Hash www.contoso.com A www.contoso.com RRSIG com ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG

  8. RRSIG, DNSKEY, DS Records But how do I know the DNSKEY is not spoofed? root Compute hash contoso.com DNSKEY(ZSK) Hash Decrypt with DNSKEY(KSK) contoso.com DNSKEY(ZSK) RRSIG Hash www.contoso.com A www.contoso.com RRSIG com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG ISP contoso.com DNSKEY(KSK) contoso.com

  9. RRSIG, DNSKEY, DS Records But how I do know I have the correct KSK DNSKEY? root Compute hash contoso.com DNSKEY(KSK) Hash Contoso.com DS www.contoso.com A www.contoso.com RRSIG com contoso.com DS contoso.com DNSKEY(ZSK) contoso.com DS RRSIG contoso.com DNSKEY(ZSK) RRSIG ISP contoso.com DNSKEY(KSK) contoso.com

  10. RRSIG, DNSKEY, DS Records COM could be spoofed, right? Let’s check! Compute hash contoso.com DS Hash root Decrypt with DNSKEY(ZSK) contoso.com RRSIG Hash contoso.com DS com DNSKEY(KSK) contoso.com DS RRSIG com com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG ISP contoso.com

  11. RRSIG, DNSKEY, DS Records I will validate all the way to root by building a chain up to root root DNSKEY(KSK) root DNSKEY(ZSK) root root DNSKEY(ZSK) RRSIG .com DS com DS RRSIG www.contoso.com A .com DNSKEY(KSK) .com DNSKEY(ZSK) www.contoso.com RRSIG com .com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG

  12. RRSIG, DNSKEY, DS Records Wait a minute…I already have the DNSKEY record in my Trust Anchor store for root. Lets use it. Who do I ask to make sure root’s KSK DNSKEY is correct? root root DNSKEY(KSK) root DNSKEY(KSK) contoso.com DS contoso.com DS RRSIG com com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG ISP root DNSKEY(KSK) contoso.com root DNSKEY(KSK)

  13. RRSIG, DNSKEY, DS Records I have complete my validation and everything checks out! root DNSKEY(KSK) root DNSKEY(ZSK) root root DNSKEY(ZSK) RRSIG .com DS com DS RRSIG www.contoso.com A .com DNSKEY(KSK) .com DNSKEY(ZSK) www.contoso.com RRSIG com .com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG

  14. Contoso.com (signed w/ NSEC) NSEC, NSEC3 Next Secure accounting.contoso.com NSEC record contoso.com (unsigned) accounting.contoso.com A record Next Secure enroll.contoso.com NSEC record enroll.contoso.com A record accounting.contoso.com A record enroll.contoso.com A record Next Secure hr.contoso.com NSEC record hr.contoso.com A record hr.contoso.com A record Next Secure server3.contoso.com NSEC record server3.contoso.com A record server3.contoso.com A record www.contoso.com A record Next Secure www.contoso.com NSEC record www.contoso.com A record Next Secure contoso.com NSEC record

  15. Contoso.com (signed w/ NSEC) NSEC, NSEC3 Next Secure accounting.contoso.com NSEC record budget.contoso.com accounting.contoso.com A record Next Secure enroll.contoso.com NSEC record enroll.contoso.com A record Next Secure hr.contoso.com NSEC record hr.contoso.com A record Hmm…..but now we have learned there are no records between budget and accounting Next Secure server3.contoso.com NSEC record server3.contoso.com A record Next Secure www.contoso.com NSEC record www.contoso.com A record Next Secure contoso.com NSEC record

  16. Contoso.com (signed w/ NSEC3) NSEC, NSEC3 Next Secure 3 mdjeu489wjd NSEC3 record budget.contoso.com accounting.contoso.com A record Next Secure 3 oejsnw854jr NSEC3 record enroll.contoso.com A record Next Secure 3 km8301jsdyew NSEC3 record hr.contoso.com A record Next Secure 3 mhsq74ikjdj NSEC3 record Returns a hashed response to prevent dictionary attacks server3.contoso.com A record Next Secure 3 ythe84jkf NSEC3 record www.contoso.com A record Next Secure 3 kdfshjdfswe98 NSEC3 record

  17. Signing a zone Demo

  18. DNSSEC in Windows 2008 R2 • Microsoft introduced support for DNSSEC in Windows 2008 R2… • Ability to sign zones offline and host signed zones • Validation of signed responses • Support for NSEC

  19. DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Latest RFCs • NSEC3 Support • RSA/SHA-2 Signing • Automated Trust Anchor rollover Interoperability Dynamic Manageability Automation

  20. DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Active Directory Integrated • Support for dynamic updates • Preserving the multi-master DNS model • Leverage AD for secure key distribution and Trust Anchor distribution Interoperability Dynamic Manageability Automation

  21. DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout Interoperability Dynamic Manageability Automation

  22. DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Automatedre-signingon static and dynamic updates • Automatedkey rollovers • Automatedsignature refresh • Automatedupdating of secure delegations • Automateddistribution and updating of Trust Anchors Interoperability Dynamic Manageability Automation

  23. Introduce Windows Server 2012 • Active Directory integrated zone • Classic multi-master deployment • Hosted on five DNS servers that are also domain controllers

  24. AD integrated zone DNS Manager wizard walks admin through signing process Generates Keys for signing zone on the first DC. Signs it’s own copy of the zone Signing a zone

  25. Single location for all key generation and management Drives automated rollover Administrator designates one server to be the key master First DNSSEC server becomes KM Key Master Role

  26. Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Windows 8 DCs will sign their copy of the zone Signing entire zone

  27. Updating zone data • Client sends dynamic update to any authoritative DNS server • That DNS server updates its own copy of the zone and generates signatures • The unsigned update is replicated to all other authoritative servers • Each DNS server adds the update to its copy of the zone and generates signatures

  28. Deploy Trust Anchor Demo

  29. Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor Distribution & Mgmt. • Trust Anchor maintenance • Trust Anchor updates are automatically replicated via AD to all servers in the forest • Automated Trust Anchor rollover is used to keep TAs up to date

  30. DNSSEC Lifecycle Using Windows Server 8 on the Intranet

  31. Key Rollover Process KSK ZSK1 contoso.com ZSK2

  32. Key Rollover Process KSK ZSK1 contoso.com ZSK2

  33. Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Key Management has low TCO • Automated key rollovers • Key rollover frequency is configured per zone • Key master automatically generates new keys and replicates via AD • Zone owners rollover keys and re-signs the zone • Secure delegations from the parent are also automatically updated (within the same forest)

  34. Advanced: Last mile IPSEC DNSSEC Non-Auth DNS resolver Authoritative for the zone GPO

  35. Last Mile Demo

  36. DNSSEC signing performance

  37. New in DNS for Windows Server 2012 • IPAM • PowerShell cmdlets • Near parity with dnscmd.exe • Dynamic re-ordering of forwarders • Server now picks the forwarder that is responsive over the ones that are not responsive • Basically, unresponsive forwarders are dropped to the bottom of the list for successive queries • WINS Support for DNSSEC

  38. Summary • People are trusting DNSSEC can protect them • Easy to deploy • Smart defaults • Automated management for day to day operations

  39. SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched

  40. Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn

  41. Required Slide Complete an evaluation on CommNet and enter to win!

  42. Please Complete an Evaluation Your feedback is important! Multipleways to Evaluate Sessions Be eligible to win great daily prizes and the grand prize of a $5,000 Travel Voucher! Scan the Tag to evaluate this session now on myTechEdMobile

  43. © 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

More Related