450 likes | 685 Views
WSV325. Deploying DNSSEC in Windows Server 2012. Rob Kuehfus Program Manager Microsoft Corporation. Agenda. DNS Spoofing. Demo. Windows Server 2012 Cloud Optimize Your IT. Beyond Virtualization
E N D
WSV325 Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation
DNS Spoofing Demo
Windows Server 2012Cloud Optimize Your IT Beyond Virtualization Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services. Modern Workstyle, Enabled Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance. The Power of Many Servers, the Simplicity of One Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation. Every App, Any Cloud WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.
The Basic Idea • DNSSEC introduces 5 new record types: • Resource Record Signature (RRSIG) • DNS Public Key (DNSKEY) • Delegation Signer (DS) • Next Secure (NSEC) • Next Secure 3 (NSEC3) • Using the new records resolvers build a chain of trust for any signed zone • DNS Responses include signatures and can be validated
RRSIG, DNSKEY, DS Records I don’t have that information ask com root www.contoso.com I don’t have that information I’ll ask root www.contoso.com? I don’t have that information ask contoso.com com www.contoso.com? www.contoso.com? ISP www.contoso.com? www.contoso.com A No problem its 65.55.39.10 www.contoso.com RRSIG contoso.com
RRSIG, DNSKEY, DS Records An RRSIG has been returned. I will validate to see if this is correct root Compute hash www.contoso.com A Hash Decrypt with DNSKEY(ZSK) www.contoso.com RRSIG Hash www.contoso.com A www.contoso.com RRSIG com ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG
RRSIG, DNSKEY, DS Records But how do I know the DNSKEY is not spoofed? root Compute hash contoso.com DNSKEY(ZSK) Hash Decrypt with DNSKEY(KSK) contoso.com DNSKEY(ZSK) RRSIG Hash www.contoso.com A www.contoso.com RRSIG com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG ISP contoso.com DNSKEY(KSK) contoso.com
RRSIG, DNSKEY, DS Records But how I do know I have the correct KSK DNSKEY? root Compute hash contoso.com DNSKEY(KSK) Hash Contoso.com DS www.contoso.com A www.contoso.com RRSIG com contoso.com DS contoso.com DNSKEY(ZSK) contoso.com DS RRSIG contoso.com DNSKEY(ZSK) RRSIG ISP contoso.com DNSKEY(KSK) contoso.com
RRSIG, DNSKEY, DS Records COM could be spoofed, right? Let’s check! Compute hash contoso.com DS Hash root Decrypt with DNSKEY(ZSK) contoso.com RRSIG Hash contoso.com DS com DNSKEY(KSK) contoso.com DS RRSIG com com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG ISP contoso.com
RRSIG, DNSKEY, DS Records I will validate all the way to root by building a chain up to root root DNSKEY(KSK) root DNSKEY(ZSK) root root DNSKEY(ZSK) RRSIG .com DS com DS RRSIG www.contoso.com A .com DNSKEY(KSK) .com DNSKEY(ZSK) www.contoso.com RRSIG com .com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG
RRSIG, DNSKEY, DS Records Wait a minute…I already have the DNSKEY record in my Trust Anchor store for root. Lets use it. Who do I ask to make sure root’s KSK DNSKEY is correct? root root DNSKEY(KSK) root DNSKEY(KSK) contoso.com DS contoso.com DS RRSIG com com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG ISP root DNSKEY(KSK) contoso.com root DNSKEY(KSK)
RRSIG, DNSKEY, DS Records I have complete my validation and everything checks out! root DNSKEY(KSK) root DNSKEY(ZSK) root root DNSKEY(ZSK) RRSIG .com DS com DS RRSIG www.contoso.com A .com DNSKEY(KSK) .com DNSKEY(ZSK) www.contoso.com RRSIG com .com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG ISP contoso.com DNSKEY(KSK) contoso.com contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG
Contoso.com (signed w/ NSEC) NSEC, NSEC3 Next Secure accounting.contoso.com NSEC record contoso.com (unsigned) accounting.contoso.com A record Next Secure enroll.contoso.com NSEC record enroll.contoso.com A record accounting.contoso.com A record enroll.contoso.com A record Next Secure hr.contoso.com NSEC record hr.contoso.com A record hr.contoso.com A record Next Secure server3.contoso.com NSEC record server3.contoso.com A record server3.contoso.com A record www.contoso.com A record Next Secure www.contoso.com NSEC record www.contoso.com A record Next Secure contoso.com NSEC record
Contoso.com (signed w/ NSEC) NSEC, NSEC3 Next Secure accounting.contoso.com NSEC record budget.contoso.com accounting.contoso.com A record Next Secure enroll.contoso.com NSEC record enroll.contoso.com A record Next Secure hr.contoso.com NSEC record hr.contoso.com A record Hmm…..but now we have learned there are no records between budget and accounting Next Secure server3.contoso.com NSEC record server3.contoso.com A record Next Secure www.contoso.com NSEC record www.contoso.com A record Next Secure contoso.com NSEC record
Contoso.com (signed w/ NSEC3) NSEC, NSEC3 Next Secure 3 mdjeu489wjd NSEC3 record budget.contoso.com accounting.contoso.com A record Next Secure 3 oejsnw854jr NSEC3 record enroll.contoso.com A record Next Secure 3 km8301jsdyew NSEC3 record hr.contoso.com A record Next Secure 3 mhsq74ikjdj NSEC3 record Returns a hashed response to prevent dictionary attacks server3.contoso.com A record Next Secure 3 ythe84jkf NSEC3 record www.contoso.com A record Next Secure 3 kdfshjdfswe98 NSEC3 record
Signing a zone Demo
DNSSEC in Windows 2008 R2 • Microsoft introduced support for DNSSEC in Windows 2008 R2… • Ability to sign zones offline and host signed zones • Validation of signed responses • Support for NSEC
DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Latest RFCs • NSEC3 Support • RSA/SHA-2 Signing • Automated Trust Anchor rollover Interoperability Dynamic Manageability Automation
DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Active Directory Integrated • Support for dynamic updates • Preserving the multi-master DNS model • Leverage AD for secure key distribution and Trust Anchor distribution Interoperability Dynamic Manageability Automation
DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout Interoperability Dynamic Manageability Automation
DNSSEC in Windows Server 2012 Enabling enterprise DNSSEC rollout • Automatedre-signingon static and dynamic updates • Automatedkey rollovers • Automatedsignature refresh • Automatedupdating of secure delegations • Automateddistribution and updating of Trust Anchors Interoperability Dynamic Manageability Automation
Introduce Windows Server 2012 • Active Directory integrated zone • Classic multi-master deployment • Hosted on five DNS servers that are also domain controllers
AD integrated zone DNS Manager wizard walks admin through signing process Generates Keys for signing zone on the first DC. Signs it’s own copy of the zone Signing a zone
Single location for all key generation and management Drives automated rollover Administrator designates one server to be the key master First DNSSEC server becomes KM Key Master Role
Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Windows 8 DCs will sign their copy of the zone Signing entire zone
Updating zone data • Client sends dynamic update to any authoritative DNS server • That DNS server updates its own copy of the zone and generates signatures • The unsigned update is replicated to all other authoritative servers • Each DNS server adds the update to its copy of the zone and generates signatures
Deploy Trust Anchor Demo
Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor Distribution & Mgmt. • Trust Anchor maintenance • Trust Anchor updates are automatically replicated via AD to all servers in the forest • Automated Trust Anchor rollover is used to keep TAs up to date
DNSSEC Lifecycle Using Windows Server 8 on the Intranet
Key Rollover Process KSK ZSK1 contoso.com ZSK2
Key Rollover Process KSK ZSK1 contoso.com ZSK2
Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Key Management has low TCO • Automated key rollovers • Key rollover frequency is configured per zone • Key master automatically generates new keys and replicates via AD • Zone owners rollover keys and re-signs the zone • Secure delegations from the parent are also automatically updated (within the same forest)
Advanced: Last mile IPSEC DNSSEC Non-Auth DNS resolver Authoritative for the zone GPO
Last Mile Demo
New in DNS for Windows Server 2012 • IPAM • PowerShell cmdlets • Near parity with dnscmd.exe • Dynamic re-ordering of forwarders • Server now picks the forwarder that is responsive over the ones that are not responsive • Basically, unresponsive forwarders are dropped to the bottom of the list for successive queries • WINS Support for DNSSEC
Summary • People are trusting DNSSEC can protect them • Easy to deploy • Smart defaults • Automated management for day to day operations
SIA, WSV, and VIR Track Resources #TE(sessioncode) Talk to our Experts at the TLC Hands-On Labs DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver DOWNLOAD Windows Azure Windowsazure.com/ teched
Resources Learning TechNet • Connect. Share. Discuss. • Microsoft Certification & Training Resources http://northamerica.msteched.com www.microsoft.com/learning • Resources for IT Professionals • Resources for Developers • http://microsoft.com/technet http://microsoft.com/msdn
Required Slide Complete an evaluation on CommNet and enter to win!
Please Complete an Evaluation Your feedback is important! Multipleways to Evaluate Sessions Be eligible to win great daily prizes and the grand prize of a $5,000 Travel Voucher! Scan the Tag to evaluate this session now on myTechEdMobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.