Windows Server 2012 and DNSSEC

DNS is a critical building block of any IT infrastructure including the internet. DNS simply translate domain names such as www.msn.com to IP addresses. This allow users to easily remember names instead of IP addresses which computer can understand. Active Directory depends almost everything on DNS and it's a requirement for any IT infrastructure. Since DNS is designed in the early days, DNS is not very secure. Hackers can easily setup a DNS server and claims that it owns all the domains. This can easily give attackers a mechanism to reroute client traffic.

DNSSEC is a group of extensions that harden the DNS infrastructure. IETF RFC 4033, 4034 and 4035 describes the required extensions for DNSSEC. Most important attribute of DNSSEC is ability to identify its origin allowing for data integrity. DNSSEC introduces these new type of records: DNSKEY, RRSIG, DS, NSEC/NSEC3.

Windows Server 2008 R2 supports DNSSEC but with limited functionality. Key generation process and zone signing process was only done by command line. Server 2008 R2 requires that zone is offline during the zone signing process. There is no support for automatic key rollover and Dynamic updates are not supported. Lastly, RSA/SHA-2 and NSEC3 algorithms are not supported.

Windows Server 2012 supports for DNSSEC and fixes all the down falls in DNSSEC implementation of Server 2008 R2. Windows Server 2012 now supports online zone signing. Dynamic updates can be enabled for DNSSEC-signed zones with active directory. NSE3 and RSA/SHA2 algorithms are now supported and automation for trust anchor rollover. As for the management, Windows Server 2012 inlcudes powershell cmdlets for DNSSEC. Scavenging stale record option is included to purge old DNSSEC records also. Dynamic updates for DNSSEC zone in Windows Server 2012 can be enabled on DNS server as long as the server host the authoritative for that zone. Windows Server 2012 DNS server handles auto creation of signature for DNS update and record additions for the zone. The server also automatically updates soon to expire signatures by keeping track of the signature expiration time.

DNSSEC Key Master ( KM )

In DNSSEC infrastructure, Key Master—primary server must serve key management and key generation service to the environment. Key Master is responsible for distributing private keys, KSK, zone signing key rollovers and zone signing for a specific zone. It also make sure that child zones and signed delegations are sync and up to date. Key Master can be configured on any authoritative DNS server hosting the copy of primary zone. As long as the server hosts the primary zone, that server can be designated as Key Master for Multiple zones. As described above, Key Master is specified for each zone and it's not a global setting / attribute. Key Master is automatically configured when you initially create the DNSSEC Zone.

DNSSEC keys lifetime

As part of DNSSEC design, it requires that DNSEEC keys are replaced according to configured time. This is design so keys that compromised by hackers cannot be used forever. The process of review the keys in DNSSEC is called key rollover. Windows Server 2012 allows automatic key rollovers unlike in Windows Server 2008 R2. Windows Server 2012 supports KSK and ZSK automatic rollovers.

To configure DNSSEC on a zone, simply right click on the Zone > DNSSEC > Sign the Zone