deploying dnssec in windows server 2012 rob kuehfus program manager microsoft corporation wsv325

Deploying DNSSEC in Windows Server 2012

Rob KuehfusProgram ManagerMicrosoft Corporation

WSV325

Agenda

Overview Deployment

Operations

New in DNS

DNS Spoofing

Demo

Beyond Virtualization

Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services.

Modern Workstyle, Enabled

Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance.

The Power of Many Servers, the Simplicity of One

Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation.

Every App, Any Cloud

WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.

Windows Server 2012Cloud Optimize Your IT

The Basic Idea

DNSSEC introduces 5 new record types:Resource Record Signature (RRSIG) DNS Public Key (DNSKEY)Delegation Signer (DS)Next Secure (NSEC) Next Secure 3 (NSEC3)

Using the new records resolvers build a chain of trust for any signed zoneDNS Responses include signatures and can be validated

Overview Deployment

Operations New in DNS

RRSIG, DNSKEY, DS Records

www.contoso.com

www.contoso.com? ISP

root

com

contoso.c

om

I don’t have that information I’ll ask

root

www.contoso.com?

I don’t have that informatio

n ask com

I don’t have that

information ask

contoso.com

No problem its

65.55.39.10

www.contoso.com?www.contoso.com?

www.contoso.com A

www.contoso.com RRSIG


ISP contoso.co

m

www.contoso.com Awww.contoso.com RRSIG

contoso.com DNSKEY(KSK)

contoso.com DNSKEY(ZSK)contoso.com DNSKEY(ZSK) RRSIG

www.contoso.com A

HashCompute

hash

Hashwww.contoso.com RRSIG

Decrypt with DNSKEY(ZSK)

An RRSIG has been returned. I will validate to

see if this is correct

root

com


ISP contoso.co

mBut how do I

know the DNSKEY is not

spoofed?



contoso.com DNSKEY(ZSK)

contoso.com DNSKEY(ZSK) RRSIG


HashCompute

hash

Hashcontoso.com DNSKEY(ZSK) RRSIG

Decrypt with DNSKEY(KSK)

root

com


ISP contoso.co

mBut how I do

know I have the correct KSK DNSKEY?






HashCompute

hash

contoso.com DS

contoso.com DS RRSIG

Contoso.com DS

root

com


ISP contoso.co

mCOM could be spoofed, right?

Let’s check!

contoso.com DS


com DNSKEY(KSK)

com DNSKEY(ZSK)

com DNSKEY(ZSK) RRSIG

contoso.com DS HashCompute

hash

Hashcontoso.com RRSIGDecrypt with DNSKEY(ZSK)

root

com


ISP

root

com

contoso.co

mI will validate all the way to

root by building a chain up to

root





.com DNSKEY(KSK) .com DNSKEY(ZSK)

.com DNSKEY(ZSK) RRSIG

contoso.com DS contoso.com DS RRSIG

root DNSKEY(KSK) root DNSKEY(ZSK)

root DNSKEY(ZSK) RRSIG

.com DS com DS RRSIG


ISP

Who do I ask to make sure root’s KSK DNSKEY is correct?

contoso.com DS


root DNSKEY(KSK)

com DNSKEY(ZSK)

com DNSKEY(ZSK) RRSIG

Wait a minute…I already have the DNSKEY record in my Trust Anchor

store for root. Lets use it.

root DNSKEY(KSK)

root

com

contoso.co

mroot DNSKEY(KSK) root DNSKEY(KSK)


ISP

root

com

contoso.co

mI have

complete my validation and

everything checks out!





.com DNSKEY(KSK) .com DNSKEY(ZSK)

.com DNSKEY(ZSK) RRSIG

contoso.com DS contoso.com DS RRSIG

root DNSKEY(KSK) root DNSKEY(ZSK)

root DNSKEY(ZSK) RRSIG

.com DS com DS RRSIG

NSEC, NSEC3

accounting.contoso.com A record

enroll.contoso.com A record

server3.contoso.com A record

hr.contoso.com A record

www.contoso.com A record






Next Secure enroll.contoso.com NSEC record

Next Secure hr.contoso.com NSEC record

Next Secure server3.contoso.com NSEC record

Next Secure www.contoso.com NSEC record

Next Secure contoso.com NSEC record

Next Secure accounting.contoso.com NSEC record

contoso.com (unsigned)

Contoso.com (signed w/ NSEC)

NSEC, NSEC3






Next Secure enroll.contoso.com NSEC record

Next Secure hr.contoso.com NSEC record

Next Secure server3.contoso.com NSEC record

Next Secure www.contoso.com NSEC record

Next Secure contoso.com NSEC record

Next Secure accounting.contoso.com NSEC record

Contoso.com (signed w/ NSEC)

budget.contoso.com

Hmm…..but now we have learned there are no records between budget and accounting

NSEC, NSEC3






Next Secure 3 oejsnw854jr NSEC3 record

Next Secure 3 km8301jsdyew NSEC3 record

Next Secure 3 mhsq74ikjdj NSEC3 record

Next Secure 3 ythe84jkf NSEC3 record

Next Secure 3 kdfshjdfswe98 NSEC3 record

Next Secure 3 mdjeu489wjd NSEC3 record

Contoso.com (signed w/ NSEC3)

budget.contoso.com

Returns a hashed response to prevent dictionary attacks

Signing a zone

Demo

DNSSEC in Windows 2008 R2

Microsoft introduced support for DNSSEC in Windows 2008 R2…

Ability to sign zones offline and host signed zonesValidation of signed responsesSupport for NSEC

Overview Deployment


Latest RFCs NSEC3 Support RSA/SHA-2 Signing Automated Trust Anchor

rollover

ENABLING ENTERPRISE DNSSEC ROLLOUT

DNSSEC in Windows Server 2012

Interoperability

Manageability

Dynamic

Automation

Overview

Deployment

Operations

New in DNS

Active Directory Integrated Support for dynamic updates Preserving the multi-master

DNS model Leverage AD for secure key

distribution and Trust Anchor distribution



Interoperability

Manageability

Dynamic

Automation

Overview

Deployment

Operations

New in DNS



Interoperability

Manageability

Dynamic

Automation

Overview

Deployment

Operations

New in DNS

Automated re-signing on static and dynamic updates

Automated key rollovers Automated signature refresh Automated updating of secure

delegations Automated distribution and

updating of Trust Anchors



Interoperability

Manageability

Dynamic

Automation

Overview

Deployment

Operations

New in DNS

Introduce Windows Server 2012

Active Directory integrated zone Classic multi-master deployment

Hosted on five DNS servers that are also domain controllers

Overview Deployment


Signing a zone

AD integrated zoneDNS Manager wizard walks admin through signing processGenerates Keys for signing zone on the first DC.Signs it’s own copy of the zone

Overview Deployment


Key Master Role

Single location for all key generation and management

Drives automated rollover

Administrator designates one server to be the key master

First DNSSEC server becomes KM

Overview Deployment


Signing entire zone

Private zone signing keys replicate automatically to all DCs hosting the zone through AD replicationEach zone owner signs its own copy of the zone when it receives the key

Only Windows 8 DCs will sign their copy of the zone

Overview Deployment


Updating zone data

1. Client sends dynamic update to any authoritative DNS server

2. That DNS server updates its own copy of the zone and generates signatures

3. The unsigned update is replicated to all other authoritative servers

4. Each DNS server adds the update to its copy of the zone and generates signatures

Overview Deployment


Deploy Trust Anchor

Demo

Trust Anchor Distribution & Mgmt.

Trust Anchor Distribution

Trust Anchors replicate to all DNS servers that are DCs in the forest via ADDistribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager

Trust Anchor maintenance

Trust Anchor updates are automatically replicated via AD to all servers in the forestAutomated Trust Anchor rollover is used to keep TAs up to date

Overview

Deployment

Operations

New in DNS

DNSSEC Lifecycle

Introduce Windows Server 2012 DCs Sign zone

Roll out Windows Server 2012 DCs

Update LDNS to Windows Server 2012

Deploy TAs on LDNS server

Overview

Deployment

Operations

New in DNS

Key Rollover Process

KSK

contoso.com

ZSK1

Overview

Deployment

Operations

New in DNS

ZSK2

Initial

Insert new Key

Replicate

Resign w/ new

Key

Remove old Key

Key Rollover Process

KSK

Overview

Deployment

Operations

New in DNS

ZSK2

contoso.com

ZSK1

Initial

Insert new Key

Replicate

Resign w/ new

Key

Remove old Key

Key Management has low TCO

Signatures stay up-to-date

New records are signed automatically when zone data changes

Static and dynamic updatesNSEC records are kept up to date

Automated key rollovers

Key rollover frequency is configured per zoneKey master automatically generates new keys and replicates via ADZone owners rollover keys and re-signs the zoneSecure delegations from the parent are also automatically updated (within the same forest)

Overview

Deployment

Operations

New in DNS

Authoritative for the

zone

Non-Auth DNS

resolver

Advanced: Last mile

DNSSECIPSEC

Overview

Deployment

Operations

New in DNS

GPO

Last Mile

Demo

DNSSEC signing performance

1024

Rsa

Sha1

NSE

C

1024

Rsa

Sha2

56 N

SEC

1024

Rsa

Sha1

NSE

C3

1024

Rsa

Sha2

56 N

SEC3

1024

Rsa

Sha5

12 N

SEC3

ECDsa

P256S

ha25

6 NSE

C3

ECDsa

P384S

ha38

4 NSE

C3

2048

Rsa

Sha1

NSE

C

2048

Rsa

Sha2

56 N

SEC

2048

Rsa

Sha2

56 N

SEC3

2048

Rsa

Sha1

NSE

C3

2048

Rsa

Sha5

12 N

SEC3

4096

Rsa

Sha1

NSE

C

4096

Rsa

Sha2

56 N

SEC

4096

Rsa

Sha5

12 N

SEC3

4096

Rsa

Sha2

56 N

SEC3

4096

Rsa

Sha1

NSE

C3

0.00

50.00

100.00

150.00

200.00

250.00

300.00

350.00

0.00

1.00

2.00

3.00

4.00

5.00

6.00

7.00

Nodes/second signedMemory factor

Overview

Deployment

Operations

New in DNS

New in DNS for Windows Server 2012

IPAMPowerShell cmdlets

Near parity with dnscmd.exeDynamic re-ordering of forwarders

Server now picks the forwarder that is responsive over the ones that are not responsiveBasically, unresponsive forwarders are dropped to the bottom of the list for successive queries

WINS Support for DNSSEC

Overview

Deployment

Operations

New in DNS

Summary

People are trusting DNSSEC can protect themEasy to deploySmart defaultsAutomated management for day to day operations

Overview

Deployment

Operations

New in DNS

SIA, WSV, and VIR Track Resources

Talk to our Experts at the TLC

#TE(sessioncode)

DOWNLOAD Windows Server 2012 Release Candidate

microsoft.com/windowsserverHands-On Labs

DOWNLOAD Windows Azure

Windowsazure.com/teched

http://www.microsoft.com/sqlserverlabs




Resources

Connect. Share. Discuss.

http://northamerica.msteched.com

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Resources for Developers

http://microsoft.com/msdn

http://northamerica.msteched.com/

http://www.microsoft.com/learning

http://microsoft.com/technet

http://microsoft.com/msdn

Complete an evaluation on CommNet and enter to win!

Please Complete an Evaluation Your feedback is important!

Multipleways to Evaluate Sessions

Scan the Tagto evaluate thissession now on myTechEd Mobile

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to

be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS

PRESENTATION.

deploying dnssec in windows server 2012 rob kuehfus program manager microsoft corporation wsv325

Documents

dnskeyzsk root com slide

ds com ds rrsig slide

dnskeyzsk rrsig decrypt

ds root com slide

dnskeyksk root com slide

isp root com

correct root com slide

dns slide