Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Slides:



Advertisements
Similar presentations
DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Windows Server 2012 NIC Teaming and SMB Multichannel Solutions
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.
Cloudy Weather: How Secure Is the Cloud? David Aiken Windows Azure Microsoft Corporation.
Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.
Implementing Domain Name System
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Best Practices for Designing and Consolidating Group Policy for Performance and Security Darren Mar-Elia Group Policy MVP, CTO & Founder SDM Software,
Windows Server 2012 IP Address Management Bala Rajagopalan Group Program Manager Microsoft Corporation WSV 307.
Tech·Ed North America /19/2017 7:21 AM
Messaging and Collaboration Scenarios with Windows Small Business Server 2011 Essentials David Fabritius Product Marketing Manager Microsoft Corporation.
Deep Dive on Active Directory PowerShell Mudassir Ali Software Development Engineer Microsoft Corporation SIA404.
Understanding Active Directory
Microsoft Private Cloud Fast Track: The Next Generation of Private Cloud Reference Architecture Mike Truitt Sr. Product Planner Bryon Surace Sr. Program.
Windows Server 2012 Certification and Training June 2012.
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
The Network Files, Case #53: Diagnosing diseases of DNS Presented by Mark Minasi for newsletters, audio sets etc WSV313.
Demi Albuz SENIOR PRODUCT MARKETING MANAGER Samim Erdogan PRINCIPAL ENGINEERING MANAGER Thomas Willingham TECHNICAL PRODUCT MANAGER.
Enabling Disaster Recovery for Hyper-V Workloads Using Hyper-V Replica Shreesh Dubey Principal Group Program Manager Microsoft Corporation VIR302.
Introduction to the Microsoft Private Cloud WSV207 Symon Perriman Technical Evangelist Microsoft WSV207.
Update Management in Windows Server 2012: Revealing Cluster-Aware Updating and the New Generation of WSUS Erin Chapple Partner Group Program Manager Microsoft.
Active Directory Domain Services on Windows Azure Virtual Machines Samuel Devasahayam Active Directory Product Group Microsoft SIA205.
Accelerating the Power of the Cloud with Microsoft Private Cloud Fast Track and EMC Infrastructure Mike McGhee Solutions Engineer EMC Corporation WSV211.
Cluster Shared Volumes Reborn in Windows Server 2012: Deep Dive Amitabh Tamhane Vineeth Karinta Program Manager 2 Senior Engineer Microsoft Corporation.
Implementing DNS Module D 7: Implementing DNS
Building Integration Solutions using BizTalk On-Premises and on Azure Javed SikanderRajesh Ramamirtham Group Program ManagerProgram Manager AZR211.
Best Practices and Lessons Learned: Private Cloud Deployment in the Enterprise Ryan Sokolowski Senior Consultant, Microsoft Consulting Services Microsoft.
Using the Windows Server 2012 Server Manager for Remote and Multi-Server Management Wale Martins Senior Program Manager Microsoft Corporation WSV335.
Get Hands-on with the New Hyper-V Extensible Switch in Windows Server 2012 Bob Combs Hyper-V Networking Microsoft Corporation VIR307.
Advanced Automation Using Windows PowerShell 3.0 Hemant Mahawar Program Manager Microsoft Corporation Travis Jones Program Manager Microsoft Corporation.
App Controller Richard Rundle Ketan Ghelani Program Managers Microsoft Corporation MGT303.
What's New with IIS 8 Performance, Scalability, and Security Robert McMurray Program Manager Microsoft Corporation WSV332.
A Lap Around Windows Azure Active Directory Stuart Kwan Lead Principal Program Manager Microsoft Corporation SIA209.
PCIT313. Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers.
Alessandro Cardoso Microsoft MVP | Readify National Manager |
1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.
Making Entitlements in AD Understandable to the Business Rob de Jong Senior Program Manager Microsoft Corporation SIA314.
What’s New with IIS 8: Open Web Platform for Cloud Shaun Eagan Senior Program Manager Microsoft Corporation Wade A. Hilmo Principal Development Lead Microsoft.
Migrating Virtual Environments to Hyper-V: The Easy Way Mark Gosson Senior Program Manager Microsoft Corporation WSV336.
Windows Server 2012 IP Address Management Tyler Barton Program Manager Microsoft Corporation WSV 307.
Networking for Hybrid Cloud: BranchCache and Cross-Premises Connectivity Bala Rajagopalan Group Program Manager Microsoft Corporation Rob Kuehfus Program.
What’s New in Active Directory in Windows Server 2012 Samuel Devasahayam Active Directory Product Group Microsoft Ulf Simon-Weidner Senior Consultant,
What’s New with Windows Server 2012 and Microsoft System Center 2012 SP1 Vijay Tewari Principal Group Program Manager Microsoft Corporation.
Microsoft Azure Active Directory. AD Microsoft Azure Active Directory.
Presented by Mark Minasi 1 SESSION CODE: WSV333.
Building a Highly Available Failover Cluster Solution with Windows Server 2012 from the Ground UP Rob Hindman Program Manager Microsoft Corporation Lalithra.
The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”
Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.
Building a Highly Available Failover Cluster Solution with Windows Server 2012 from the Ground UP Rob Hindman Program Manager Microsoft Corporation WSV324.
DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access
Zentera Guardia Fabric ™ Securely Connects Client-Server Apps between Microsoft Azure, Enterprise Datacenters & Other Public Clouds MICROSOFT AZURE ISV.
Becoming the Next Private Cloud Expert Yung Chou Technical Evangelist Microsoft Corporation WSV318.
Deploying Private Clouds (Lessons Learned from the Windows Server 2012 TAP) Pat Fetty and Allen Stewart Principal Program Manager and Principal Group Program.
Microsoft Azure and ServiceNow: Extending IT Best Practices to the Microsoft Cloud to Give Enterprises Total Control of Their Infrastructure MICROSOFT.
Windows Server 2012 Certification and Training
Windows Server 2012 Overview Michael Leworthy Senior Product Manager Microsoft Corporation WSV205.
Managing and Extending Active Directory Federation Services Brian Puhl Technology Architect Microsoft Corporation SIA318.
Demystifying Forefront Edge Security Technologies – TMG and UAG Richard Hicks Director – Sales Engineering Celestix Networks, Inc. SIA208.
What’s New with IIS 8: Open Web Platform for Cloud
Implementing Active Directory Domain Services
Getting Started.
Twenty Windows Tools You Never Knew Existed
Getting Started.
Microsoft Virtual Academy
Presentation transcript:

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325

OverviewDeployment Operations New in DNS

DNS Spoofing Demo

OverviewDeployment OperationsNew in DNS

Beyond Virtualization Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services. Modern Workstyle, Enabled Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance. The Power of Many Servers, the Simplicity of One Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation. Every App, Any Cloud WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.

OverviewDeployment OperationsNew in DNS

ISP root com contoso.com I don’t have that information I’ll ask root I don’t have that information ask com I don’t have that information ask contoso.com No problem its A RRSIG

ISP contoso.com A RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG AHash Compute hash Hash RRSIG Decrypt with DNSKEY(ZSK) An RRSIG has been returned. I will validate to see if this is correct root com

ISP contoso.com But how do I know the DNSKEY is not spoofed? A RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG contoso.com DNSKEY(ZSK)Hash Compute hash Hash contoso.com DNSKEY(ZSK) RRSIG Decrypt with DNSKEY(KSK) root com

ISP contoso.com But how I do know I have the correct KSK DNSKEY? A RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG contoso.com DNSKEY(KSK)Hash Compute hash contoso.com DS contoso.com DS RRSIG Contoso.com DS root com

ISP contoso.com COM could be spoofed, right? Let’s check! contoso.com DS contoso.com DS RRSIG com DNSKEY(KSK) com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG contoso.com DSHash Compute hash Hash contoso.com RRSIG Decrypt with DNSKEY(ZSK) root com

ISP root com contoso.com I will validate all the way to root by building a chain up to root A RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG.com DNSKEY(KSK).com DNSKEY(ZSK).com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) root DNSKEY(ZSK) root DNSKEY(ZSK) RRSIG.com DS com DS RRSIG

ISP Who do I ask to make sure root’s KSK DNSKEY is correct? contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG Wait a minute… I already have the DNSKEY record in my Trust Anchor store for root. Lets use it. root DNSKEY(KSK) root com contoso.com root DNSKEY(KSK)

ISP root com contoso.com I have complete my validation and everything checks out! A RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG.com DNSKEY(KSK).com DNSKEY(ZSK).com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) root DNSKEY(ZSK) root DNSKEY(ZSK) RRSIG.com DS com DS RRSIG

accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record A record accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record A record Next Secure enroll.contoso.com NSEC record Next Secure hr.contoso.com NSEC record Next Secure server3.contoso.com NSEC record Next Secure NSEC record Next Secure contoso.com NSEC record Next Secure accounting.contoso.com NSEC record contoso.com (unsigned) Contoso.com (signed w/ NSEC)

accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record A record Next Secure enroll.contoso.com NSEC record Next Secure hr.contoso.com NSEC record Next Secure server3.contoso.com NSEC record Next Secure NSEC record Next Secure contoso.com NSEC record Next Secure accounting.contoso.com NSEC record Contoso.com (signed w/ NSEC) budget. contoso.com Hmm…..but now we have learned there are no records between budget and accounting

accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record A record Next Secure 3 oejsnw854jr NSEC3 record Next Secure 3 km8301jsdyew NSEC3 record Next Secure 3 mhsq74ikjdj NSEC3 record Next Secure 3 ythe84jkf NSEC3 record Next Secure 3 kdfshjdfswe98 NSEC3 record Next Secure 3 mdjeu489wjd NSEC3 record Contoso.com (signed w/ NSEC3) budget. contoso.com Returns a hashed response to prevent dictionary attacks

Signing a zone Demo

OverviewDeployment OperationsNew in DNS

 Latest RFCs  NSEC3 Support  RSA/SHA-2 Signing  Automated Trust Anchor rollover ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

 Active Directory Integrated  Support for dynamic updates  Preserving the multi-master DNS model  Leverage AD for secure key distribution and Trust Anchor distribution ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

 Automated re-signing on static and dynamic updates  Automated key rollovers  Automated signature refresh  Automated updating of secure delegations  Automated distribution and updating of Trust Anchors ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

Active Directory integrated zone Classic multi-master deployment Hosted on five DNS servers that are also domain controllers OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

Single location for all key generation and management Drives automated rollover Administrator designates one server to be the key master First DNSSEC server becomes KM OverviewDeployment OperationsNew in DNS

Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Windows 8 DCs will sign their copy of the zone OverviewDeployment OperationsNew in DNS

1. Client sends dynamic update to any authoritative DNS server 2. That DNS server updates its own copy of the zone and generates signatures 3. The unsigned update is replicated to all other authoritative servers 4. Each DNS server adds the update to its copy of the zone and generates signatures OverviewDeployment OperationsNew in DNS

Deploy Trust Anchor Demo

Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor maintenance Trust Anchor updates are automatically replicated via AD to all servers in the forest Automated Trust Anchor rollover is used to keep TAs up to date OverviewDeployment OperationsNew in DNS

USING WINDOWS SERVER 8 ON THE INTRANET Introduce Windows Server 2012 DCs Sign zone Roll out Windows Server 2012 DCs Update LDNS to Windows Server 2012 Deploy TAs on LDNS server Validation on all LDNS Servers Deploy last mile solution Automated DNSSEC rollover OverviewDeployment OperationsNew in DNS

KSK contoso.com ZSK1 OverviewDeployment OperationsNew in DNS ZSK2 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

KSK OverviewDeployment OperationsNew in DNS ZSK2 contoso.com ZSK1 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Automated key rollovers Key rollover frequency is configured per zone Key master automatically generates new keys and replicates via AD Zone owners rollover keys and re-signs the zone Secure delegations from the parent are also automatically updated (within the same forest) OverviewDeployment OperationsNew in DNS

Authoritative for the zone Non-Auth DNS resolver DNSSECIPSEC OverviewDeployment OperationsNew in DNS GPO

Last Mile Demo

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

Talk to our Experts at the TLC #TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver Hands-On Labs DOWNLOAD Windows Azure Windowsazure.com/ teched

Connect. Share. Discuss. Learning Microsoft Certification & Training Resources TechNet Resources for IT Professionals Resources for Developers

Required Slide Complete an evaluation on CommNet and enter to win!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.