40 likes | 56 Views
This project aims to implement DNSSEC support in Windows Server DNS to enable federal agencies to comply with NIST 800-53 security controls SC-20 and SC-21. The changes will ensure DNS servers support signed DNS records, recursive resolvers for authentication, and integrity checking of secure records. Key highlights include RFC implementation, support for RRSIG, NSEC, DNSKEY, DS, zone file signing tool, trust anchor support, and policies for returning only secure records to clients. Planning started in 2007 with beta in the middle and RTM in late 2007 or early 2008, aiming for general availability in the first service pack of Longhorn Server.
E N D
DNS Server changes • Provide DNSSEC support in the DNS server • Changes should allow federal agencies to comply with SC-20 and SC-21 security controls proposed in NIST 800-53. • DNS servers support signed DNS records and return the signatures in response to queries (SC-20) • DNS servers support recursive resolvers that authenticate and check integrity of secure records (SC-21)
DNS Server changes • Highlights • Implement core RFCs 4033, 4034, 4035 • Support for RRSIG, NSEC, DNSKEY, DS • Tool for signing DNS zone files. • Enable verification of chain of trust • Authentication and Integrity check of records • Enable support for trust anchors • Policy to return only secure records to clients. • Other policies under consideration.
Our plans • Planning currently in progress • Beta: middle of 2007 • RTM: late 2007 or early 2008 • General availability by first service pack of Longhorn Server.