Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Published byDorthy Townsend Modified over 9 years ago

Similar presentations

Presentation on theme: "Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325."— Presentation transcript:

1 Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325

2

3 OverviewDeployment Operations New in DNS

4 DNS Spoofing Demo

5 OverviewDeployment OperationsNew in DNS

6 Beyond Virtualization Windows Server 2012 offers a dynamic, multi-tenant infrastructure that goes beyond virtualization to provide maximum flexibility for delivering and connecting to cloud services. Modern Workstyle, Enabled Windows Server 2012 empowers IT to provide users with flexible access to data and applications from virtually anywhere on any device with a rich user experience, while simplifying management and helping maintain security, control and compliance. The Power of Many Servers, the Simplicity of One Windows Server 2012 offers excellent economics by integrating a highly available and easy to manage multi-server platform with breakthrough efficiency and ubiquitous automation. Every App, Any Cloud WS2012 is a broad, scalable and elastic server platform that gives you the flexibility to build and deploy applications and websites on-premises, in the cloud and in a hybrid environment, using a consistent set of tools and frameworks.

7 OverviewDeployment OperationsNew in DNS

8 www.contoso.com www.contoso.com? ISP root com contoso.com I don’t have that information I’ll ask root www.contoso.com? I don’t have that information ask com I don’t have that information ask contoso.com No problem its 65.55.39.10 www.contoso.com? www.contoso.com A www.contoso.com RRSIG

9 ISP contoso.com www.contoso.com A www.contoso.com RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG www.contoso.com AHash Compute hash Hash www.contoso.com RRSIG Decrypt with DNSKEY(ZSK) An RRSIG has been returned. I will validate to see if this is correct root com

10 ISP contoso.com But how do I know the DNSKEY is not spoofed? www.contoso.com A www.contoso.com RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG contoso.com DNSKEY(ZSK)Hash Compute hash Hash contoso.com DNSKEY(ZSK) RRSIG Decrypt with DNSKEY(KSK) root com

11 ISP contoso.com But how I do know I have the correct KSK DNSKEY? www.contoso.com A www.contoso.com RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG contoso.com DNSKEY(KSK)Hash Compute hash contoso.com DS contoso.com DS RRSIG Contoso.com DS root com

12 ISP contoso.com COM could be spoofed, right? Let’s check! contoso.com DS contoso.com DS RRSIG com DNSKEY(KSK) com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG contoso.com DSHash Compute hash Hash contoso.com RRSIG Decrypt with DNSKEY(ZSK) root com

13 ISP root com contoso.com I will validate all the way to root by building a chain up to root www.contoso.com A www.contoso.com RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG.com DNSKEY(KSK).com DNSKEY(ZSK).com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) root DNSKEY(ZSK) root DNSKEY(ZSK) RRSIG.com DS com DS RRSIG

14 ISP Who do I ask to make sure root’s KSK DNSKEY is correct? contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) com DNSKEY(ZSK) com DNSKEY(ZSK) RRSIG Wait a minute… I already have the DNSKEY record in my Trust Anchor store for root. Lets use it. root DNSKEY(KSK) root com contoso.com root DNSKEY(KSK)

15 ISP root com contoso.com I have complete my validation and everything checks out! www.contoso.com A www.contoso.com RRSIG contoso.com DNSKEY(KSK) contoso.com DNSKEY(ZSK) contoso.com DNSKEY(ZSK) RRSIG.com DNSKEY(KSK).com DNSKEY(ZSK).com DNSKEY(ZSK) RRSIG contoso.com DS contoso.com DS RRSIG root DNSKEY(KSK) root DNSKEY(ZSK) root DNSKEY(ZSK) RRSIG.com DS com DS RRSIG

16 accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record www.contoso.com A record accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record www.contoso.com A record Next Secure enroll.contoso.com NSEC record Next Secure hr.contoso.com NSEC record Next Secure server3.contoso.com NSEC record Next Secure www.contoso.com NSEC record Next Secure contoso.com NSEC record Next Secure accounting.contoso.com NSEC record contoso.com (unsigned) Contoso.com (signed w/ NSEC)

17 accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record www.contoso.com A record Next Secure enroll.contoso.com NSEC record Next Secure hr.contoso.com NSEC record Next Secure server3.contoso.com NSEC record Next Secure www.contoso.com NSEC record Next Secure contoso.com NSEC record Next Secure accounting.contoso.com NSEC record Contoso.com (signed w/ NSEC) budget. contoso.com Hmm…..but now we have learned there are no records between budget and accounting

18 accounting.contoso.com A record enroll.contoso.com A record server3.contoso.com A record hr.contoso.com A record www.contoso.com A record Next Secure 3 oejsnw854jr NSEC3 record Next Secure 3 km8301jsdyew NSEC3 record Next Secure 3 mhsq74ikjdj NSEC3 record Next Secure 3 ythe84jkf NSEC3 record Next Secure 3 kdfshjdfswe98 NSEC3 record Next Secure 3 mdjeu489wjd NSEC3 record Contoso.com (signed w/ NSEC3) budget. contoso.com Returns a hashed response to prevent dictionary attacks

19 Signing a zone Demo

20 OverviewDeployment OperationsNew in DNS

21  Latest RFCs  NSEC3 Support  RSA/SHA-2 Signing  Automated Trust Anchor rollover ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

22  Active Directory Integrated  Support for dynamic updates  Preserving the multi-master DNS model  Leverage AD for secure key distribution and Trust Anchor distribution ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

23 ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

24  Automated re-signing on static and dynamic updates  Automated key rollovers  Automated signature refresh  Automated updating of secure delegations  Automated distribution and updating of Trust Anchors ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

25 Active Directory integrated zone Classic multi-master deployment Hosted on five DNS servers that are also domain controllers OverviewDeployment OperationsNew in DNS

26 OverviewDeployment OperationsNew in DNS

27 Single location for all key generation and management Drives automated rollover Administrator designates one server to be the key master First DNSSEC server becomes KM OverviewDeployment OperationsNew in DNS

28 Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Windows 8 DCs will sign their copy of the zone OverviewDeployment OperationsNew in DNS

29 1. Client sends dynamic update to any authoritative DNS server 2. That DNS server updates its own copy of the zone and generates signatures 3. The unsigned update is replicated to all other authoritative servers 4. Each DNS server adds the update to its copy of the zone and generates signatures OverviewDeployment OperationsNew in DNS

30 Deploy Trust Anchor Demo

31 Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor maintenance Trust Anchor updates are automatically replicated via AD to all servers in the forest Automated Trust Anchor rollover is used to keep TAs up to date OverviewDeployment OperationsNew in DNS

32 USING WINDOWS SERVER 8 ON THE INTRANET Introduce Windows Server 2012 DCs Sign zone Roll out Windows Server 2012 DCs Update LDNS to Windows Server 2012 Deploy TAs on LDNS server Validation on all LDNS Servers Deploy last mile solution Automated DNSSEC rollover OverviewDeployment OperationsNew in DNS

33 KSK contoso.com ZSK1 OverviewDeployment OperationsNew in DNS ZSK2 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

34 KSK OverviewDeployment OperationsNew in DNS ZSK2 contoso.com ZSK1 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

35 Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Automated key rollovers Key rollover frequency is configured per zone Key master automatically generates new keys and replicates via AD Zone owners rollover keys and re-signs the zone Secure delegations from the parent are also automatically updated (within the same forest) OverviewDeployment OperationsNew in DNS

36 Authoritative for the zone Non-Auth DNS resolver DNSSECIPSEC OverviewDeployment OperationsNew in DNS GPO

37 Last Mile Demo

38 OverviewDeployment OperationsNew in DNS

39 OverviewDeployment OperationsNew in DNS

40 OverviewDeployment OperationsNew in DNS

41 Talk to our Experts at the TLC #TE(sessioncode) DOWNLOAD Windows Server 2012 Release Candidate microsoft.com/windowsserver Hands-On Labs DOWNLOAD Windows Azure Windowsazure.com/ teched

42 Connect. Share. Discuss. http://northamerica.msteched.com Learning Microsoft Certification & Training Resources www.microsoft.com/learning TechNet Resources for IT Professionals http://microsoft.com/technet Resources for Developers http://microsoft.com/msdn

43 Required Slide Complete an evaluation on CommNet and enter to win!

44

45

46

Download ppt "Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Windows Server 2012 NIC Teaming and SMB Multichannel Solutions

Windows Server 2012 NIC Teaming and SMB Multichannel Solutions
2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.

2  Industry trends and challenges  Windows Server 2012: Modern workstyle, enabled  Access from virtually anywhere, any device  Full Windows experience.
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.
What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.

What’s New in Active Directory in Windows Server 2012 Dean Wells Active Directory Product Group Microsoft SIA312.
Cloudy Weather: How Secure Is the Cloud? David Aiken Windows Azure Microsoft Corporation.

Cloudy Weather: How Secure Is the Cloud? David Aiken Windows Azure Microsoft Corporation.
Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.

Making Entitlements in AD Understandable to the Business Rob de Jong Program Manager Microsoft Corporation SIA314.
Implementing Domain Name System

Implementing Domain Name System
Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.

Faith Allington Program Manager Microsoft Corporation Session Code: WSV304.
Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.

Today’s challenges Deliver applications to mobile platforms (BYOD) Respond to dynamic business requirements for IT: Seasonal/temporary workers Vendors.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Best Practices for Designing and Consolidating Group Policy for Performance and Security Darren Mar-Elia Group Policy MVP, CTO & Founder SDM Software,

Best Practices for Designing and Consolidating Group Policy for Performance and Security Darren Mar-Elia Group Policy MVP, CTO & Founder SDM Software,
Windows Server 2012 IP Address Management Bala Rajagopalan Group Program Manager Microsoft Corporation WSV 307.

Windows Server 2012 IP Address Management Bala Rajagopalan Group Program Manager Microsoft Corporation WSV 307.
Tech·Ed North America /19/2017 7:21 AM

Tech·Ed North America /19/2017 7:21 AM
Messaging and Collaboration Scenarios with Windows Small Business Server 2011 Essentials David Fabritius Product Marketing Manager Microsoft Corporation.

Messaging and Collaboration Scenarios with Windows Small Business Server 2011 Essentials David Fabritius Product Marketing Manager Microsoft Corporation.
Deep Dive on Active Directory PowerShell Mudassir Ali Software Development Engineer Microsoft Corporation SIA404.

Deep Dive on Active Directory PowerShell Mudassir Ali Software Development Engineer Microsoft Corporation SIA404.
Understanding Active Directory

Understanding Active Directory
Microsoft Private Cloud Fast Track: The Next Generation of Private Cloud Reference Architecture Mike Truitt Sr. Product Planner Bryon Surace Sr. Program.

Microsoft Private Cloud Fast Track: The Next Generation of Private Cloud Reference Architecture Mike Truitt Sr. Product Planner Bryon Surace Sr. Program.

Similar presentations

Ads by Google