deploying dnssec in windows server 2012 rob kuehfus program manager microsoft corporation wsv325
TRANSCRIPT
Beyond Virtualization
Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services.
Modern Workstyle, Enabled
Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance.
The Power of Many Servers, the Simplicity of One
Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation.
Every App, Any Cloud
WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.
Windows Server 2012Cloud Optimize Your IT
The Basic Idea
DNSSEC introduces 5 new record types:Resource Record Signature (RRSIG) DNS Public Key (DNSKEY)Delegation Signer (DS)Next Secure (NSEC) Next Secure 3 (NSEC3)
Using the new records resolvers build a chain of trust for any signed zoneDNS Responses include signatures and can be validated
Overview Deployment
Operations New in DNS
RRSIG, DNSKEY, DS Records
www.contoso.com
www.contoso.com? ISP
root
com
contoso.c
om
I don’t have that information I’ll ask
root
www.contoso.com?
I don’t have that informatio
n ask com
I don’t have that
information ask
contoso.com
No problem its
65.55.39.10
www.contoso.com?www.contoso.com?
www.contoso.com A
www.contoso.com RRSIG
RRSIG, DNSKEY, DS Records
ISP contoso.co
m
www.contoso.com Awww.contoso.com RRSIG
contoso.com DNSKEY(KSK)
contoso.com DNSKEY(ZSK)contoso.com DNSKEY(ZSK) RRSIG
www.contoso.com A
HashCompute
hash
Hashwww.contoso.com RRSIG
Decrypt with DNSKEY(ZSK)
An RRSIG has been returned. I will validate to
see if this is correct
root
com
RRSIG, DNSKEY, DS Records
ISP contoso.co
mBut how do I
know the DNSKEY is not
spoofed?
www.contoso.com Awww.contoso.com RRSIG
contoso.com DNSKEY(KSK)
contoso.com DNSKEY(ZSK)
contoso.com DNSKEY(ZSK) RRSIG
contoso.com DNSKEY(ZSK)
HashCompute
hash
Hashcontoso.com DNSKEY(ZSK) RRSIG
Decrypt with DNSKEY(KSK)
root
com
RRSIG, DNSKEY, DS Records
ISP contoso.co
mBut how I do
know I have the correct KSK DNSKEY?
www.contoso.com Awww.contoso.com RRSIG
contoso.com DNSKEY(KSK)
contoso.com DNSKEY(ZSK)
contoso.com DNSKEY(ZSK) RRSIG
contoso.com DNSKEY(KSK)
HashCompute
hash
contoso.com DS
contoso.com DS RRSIG
Contoso.com DS
root
com
RRSIG, DNSKEY, DS Records
ISP contoso.co
mCOM could be spoofed, right?
Let’s check!
contoso.com DS
contoso.com DS RRSIG
com DNSKEY(KSK)
com DNSKEY(ZSK)
com DNSKEY(ZSK) RRSIG
contoso.com DS HashCompute
hash
Hashcontoso.com RRSIGDecrypt with DNSKEY(ZSK)
root
com
RRSIG, DNSKEY, DS Records
ISP
root
com
contoso.co
mI will validate all the way to
root by building a chain up to
root
www.contoso.com Awww.contoso.com RRSIG
contoso.com DNSKEY(KSK)
contoso.com DNSKEY(ZSK)
contoso.com DNSKEY(ZSK) RRSIG
.com DNSKEY(KSK) .com DNSKEY(ZSK)
.com DNSKEY(ZSK) RRSIG
contoso.com DS contoso.com DS RRSIG
root DNSKEY(KSK) root DNSKEY(ZSK)
root DNSKEY(ZSK) RRSIG
.com DS com DS RRSIG
RRSIG, DNSKEY, DS Records
ISP
Who do I ask to make sure root’s KSK DNSKEY is correct?
contoso.com DS
contoso.com DS RRSIG
root DNSKEY(KSK)
com DNSKEY(ZSK)
com DNSKEY(ZSK) RRSIG
Wait a minute…I already have the DNSKEY record in my Trust Anchor
store for root. Lets use it.
root DNSKEY(KSK)
root
com
contoso.co
mroot DNSKEY(KSK) root DNSKEY(KSK)
RRSIG, DNSKEY, DS Records
ISP
root
com
contoso.co
mI have
complete my validation and
everything checks out!
www.contoso.com Awww.contoso.com RRSIG
contoso.com DNSKEY(KSK)
contoso.com DNSKEY(ZSK)
contoso.com DNSKEY(ZSK) RRSIG
.com DNSKEY(KSK) .com DNSKEY(ZSK)
.com DNSKEY(ZSK) RRSIG
contoso.com DS contoso.com DS RRSIG
root DNSKEY(KSK) root DNSKEY(ZSK)
root DNSKEY(ZSK) RRSIG
.com DS com DS RRSIG
NSEC, NSEC3
accounting.contoso.com A record
enroll.contoso.com A record
server3.contoso.com A record
hr.contoso.com A record
www.contoso.com A record
accounting.contoso.com A record
enroll.contoso.com A record
server3.contoso.com A record
hr.contoso.com A record
www.contoso.com A record
Next Secure enroll.contoso.com NSEC record
Next Secure hr.contoso.com NSEC record
Next Secure server3.contoso.com NSEC record
Next Secure www.contoso.com NSEC record
Next Secure contoso.com NSEC record
Next Secure accounting.contoso.com NSEC record
contoso.com (unsigned)
Contoso.com (signed w/ NSEC)
NSEC, NSEC3
accounting.contoso.com A record
enroll.contoso.com A record
server3.contoso.com A record
hr.contoso.com A record
www.contoso.com A record
Next Secure enroll.contoso.com NSEC record
Next Secure hr.contoso.com NSEC record
Next Secure server3.contoso.com NSEC record
Next Secure www.contoso.com NSEC record
Next Secure contoso.com NSEC record
Next Secure accounting.contoso.com NSEC record
Contoso.com (signed w/ NSEC)
budget.contoso.com
Hmm…..but now we have learned there are no records between budget and accounting
NSEC, NSEC3
accounting.contoso.com A record
enroll.contoso.com A record
server3.contoso.com A record
hr.contoso.com A record
www.contoso.com A record
Next Secure 3 oejsnw854jr NSEC3 record
Next Secure 3 km8301jsdyew NSEC3 record
Next Secure 3 mhsq74ikjdj NSEC3 record
Next Secure 3 ythe84jkf NSEC3 record
Next Secure 3 kdfshjdfswe98 NSEC3 record
Next Secure 3 mdjeu489wjd NSEC3 record
Contoso.com (signed w/ NSEC3)
budget.contoso.com
Returns a hashed response to prevent dictionary attacks
DNSSEC in Windows 2008 R2
Microsoft introduced support for DNSSEC in Windows 2008 R2…
Ability to sign zones offline and host signed zonesValidation of signed responsesSupport for NSEC
Overview Deployment
Operations New in DNS
Latest RFCs NSEC3 Support RSA/SHA-2 Signing Automated Trust Anchor
rollover
ENABLING ENTERPRISE DNSSEC ROLLOUT
DNSSEC in Windows Server 2012
Interoperability
Manageability
Dynamic
Automation
Overview
Deployment
Operations
New in DNS
Active Directory Integrated Support for dynamic updates Preserving the multi-master
DNS model Leverage AD for secure key
distribution and Trust Anchor distribution
ENABLING ENTERPRISE DNSSEC ROLLOUT
DNSSEC in Windows Server 2012
Interoperability
Manageability
Dynamic
Automation
Overview
Deployment
Operations
New in DNS
ENABLING ENTERPRISE DNSSEC ROLLOUT
DNSSEC in Windows Server 2012
Interoperability
Manageability
Dynamic
Automation
Overview
Deployment
Operations
New in DNS
Automated re-signing on static and dynamic updates
Automated key rollovers Automated signature refresh Automated updating of secure
delegations Automated distribution and
updating of Trust Anchors
ENABLING ENTERPRISE DNSSEC ROLLOUT
DNSSEC in Windows Server 2012
Interoperability
Manageability
Dynamic
Automation
Overview
Deployment
Operations
New in DNS
Introduce Windows Server 2012
Active Directory integrated zone Classic multi-master deployment
Hosted on five DNS servers that are also domain controllers
Overview Deployment
Operations New in DNS
Signing a zone
AD integrated zoneDNS Manager wizard walks admin through signing processGenerates Keys for signing zone on the first DC.Signs it’s own copy of the zone
Overview Deployment
Operations New in DNS
Key Master Role
Single location for all key generation and management
Drives automated rollover
Administrator designates one server to be the key master
First DNSSEC server becomes KM
Overview Deployment
Operations New in DNS
Signing entire zone
Private zone signing keys replicate automatically to all DCs hosting the zone through AD replicationEach zone owner signs its own copy of the zone when it receives the key
Only Windows 8 DCs will sign their copy of the zone
Overview Deployment
Operations New in DNS
Updating zone data
1. Client sends dynamic update to any authoritative DNS server
2. That DNS server updates its own copy of the zone and generates signatures
3. The unsigned update is replicated to all other authoritative servers
4. Each DNS server adds the update to its copy of the zone and generates signatures
Overview Deployment
Operations New in DNS
Trust Anchor Distribution & Mgmt.
Trust Anchor Distribution
Trust Anchors replicate to all DNS servers that are DCs in the forest via ADDistribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager
Trust Anchor maintenance
Trust Anchor updates are automatically replicated via AD to all servers in the forestAutomated Trust Anchor rollover is used to keep TAs up to date
Overview
Deployment
Operations
New in DNS
DNSSEC Lifecycle
Introduce Windows Server 2012 DCs Sign zone
Roll out Windows Server 2012 DCs
Update LDNS to Windows Server 2012
Deploy TAs on LDNS server
Overview
Deployment
Operations
New in DNS
Key Rollover Process
KSK
contoso.com
ZSK1
Overview
Deployment
Operations
New in DNS
ZSK2
Initial
Insert new Key
Replicate
Resign w/ new
Key
Remove old Key
Key Rollover Process
KSK
Overview
Deployment
Operations
New in DNS
ZSK2
contoso.com
ZSK1
Initial
Insert new Key
Replicate
Resign w/ new
Key
Remove old Key
Key Management has low TCO
Signatures stay up-to-date
New records are signed automatically when zone data changes
Static and dynamic updatesNSEC records are kept up to date
Automated key rollovers
Key rollover frequency is configured per zoneKey master automatically generates new keys and replicates via ADZone owners rollover keys and re-signs the zoneSecure delegations from the parent are also automatically updated (within the same forest)
Overview
Deployment
Operations
New in DNS
Authoritative for the
zone
Non-Auth DNS
resolver
Advanced: Last mile
DNSSECIPSEC
Overview
Deployment
Operations
New in DNS
GPO
DNSSEC signing performance
1024
Rsa
Sha1
NSE
C
1024
Rsa
Sha2
56 N
SEC
1024
Rsa
Sha1
NSE
C3
1024
Rsa
Sha2
56 N
SEC3
1024
Rsa
Sha5
12 N
SEC3
ECDsa
P256S
ha25
6 NSE
C3
ECDsa
P384S
ha38
4 NSE
C3
2048
Rsa
Sha1
NSE
C
2048
Rsa
Sha2
56 N
SEC
2048
Rsa
Sha2
56 N
SEC3
2048
Rsa
Sha1
NSE
C3
2048
Rsa
Sha5
12 N
SEC3
4096
Rsa
Sha1
NSE
C
4096
Rsa
Sha2
56 N
SEC
4096
Rsa
Sha5
12 N
SEC3
4096
Rsa
Sha2
56 N
SEC3
4096
Rsa
Sha1
NSE
C3
0.00
50.00
100.00
150.00
200.00
250.00
300.00
350.00
0.00
1.00
2.00
3.00
4.00
5.00
6.00
7.00
Nodes/second signedMemory factor
Overview
Deployment
Operations
New in DNS
New in DNS for Windows Server 2012
IPAMPowerShell cmdlets
Near parity with dnscmd.exeDynamic re-ordering of forwarders
Server now picks the forwarder that is responsive over the ones that are not responsiveBasically, unresponsive forwarders are dropped to the bottom of the list for successive queries
WINS Support for DNSSEC
Overview
Deployment
Operations
New in DNS
Summary
People are trusting DNSSEC can protect themEasy to deploySmart defaultsAutomated management for day to day operations
Overview
Deployment
Operations
New in DNS
SIA, WSV, and VIR Track Resources
Talk to our Experts at the TLC
#TE(sessioncode)
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserverHands-On Labs
DOWNLOAD Windows Azure
Windowsazure.com/teched
Resources
Connect. Share. Discuss.
http://northamerica.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Please Complete an Evaluation Your feedback is important!
Multipleways to Evaluate Sessions
Scan the Tagto evaluate thissession now on myTechEd Mobile
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.