none
DNSSEC Validation in Windows Server 2012 RRS feed

  • Question

  • I've recently set up DNSSEC in a virtual environment in order to see how it all works and write some related documentation for my company. The environment consists of an AD domain with three DCs, which I named 2008R2DC, 2012DC, and 2012R2DC to make it obvious which OS they're running. All three DCs are also DNS servers. There's also a Win7 client named - can you guess? - WIN7CLIENT. There are a couple of other machines as well, but they play no part in this.

    For testing purposes, I configured WIN7CLIENT to use 2012DC as its only DNS server. 2012DC has a forwarder configured, BTW, and the Use root hints if no forwarders are available checkbox is unchecked. This is because nothing in the virtual environment can reach the root servers directly (presumably because of a company firewall policy over which I have no control), but external resolution via the forwarder works fine.

    I created and signed a test zone and am not having any problems with that aspect of DNSSEC. The issues I'm having all center around the ability of the 2012 DC to perform validation of responses for remote zones. This environment has internet access, and I was able to install the root trust anchor using the dnscmd /retrieveroottrustanchors command. The DNS console shows that the trust anchor is valid.

    I then created a simple Name Resolution Policy that required DNSSEC validation for all namespaces, and that's when external name resolution stopped working. A little testing outside the lab environment showed that many major .com domains (including - ahem - microsoft.com) aren't using DNSSEC at all, so I changed the NRPT to not require DNSSEC validation for any namespace and figured I'd add in a couple of domains that I verified are using DNSSEC. However, external name resolution still fails.

    I cleared all caches, started a packet capture on 2012DC, and ran ping www.microsoft.com on WIN7CLIENT. Here's what the capture shows:

    1. DNS query from WIN7CLIENT to 2012DC: host record for www.microsoft.com. The DO bit is not set.
    2. DNS query from 2012DC to the forwarder: host record for www.microsoft.com. The DO and CD bits are both set.
    3. DNS response from the forwarder to 2012DC: 3 CNAME records and an A record.

      Everything's good so far. At this point, I would expect 2012DC to send that response to WIN7CLIENT, since it didn't ask for DNSSEC data, but that's not what happened.
       
    4. DNS query from 2012DC to the forwarder: DS record for microsoft.com.
    5. DNS response from the forwarder to 2012DC: SOA record for a TLD server and its corresponding RRSIG record.
    6. DNS query from 2012DC to the forwarder: DNSKEY record for com.
    7. DNS response from the forwarder to 2012DC: 2 DNSKEY records and their RRSIG record.
    8. DNS query from 2012DC to the forwarder: DS record for com.
    9. DNS response from the forwarder to 2012DC: the DS record and its RRSIG record.
    10. DNS query from 2012DC to the forwarder: DNSKEY record for the root zone.
    11. DNS response from the forwarder to 2012DC: 2 DNSKEY records and their RRSIG record.
    12. DNS response from 2012DC to WIN7CLIENT: SERVFAIL.

    This sequence raises several questions:

    1. Since WIN7CLIENT didn't request DNSSEC validation at all (which it shouldn't, per the NRPT), why didn't 2012DC simply return the response it got from the forwarder in step 3?
    2. Having failed to obtain a DS record for microsoft.com (because the record doesn't exist), why did 2012DC continue requesting the DNSSEC chain of trust all the way up to the root? If it were going to send a SERVFAIL response anyway, wouldn't it make more sense to just send it after step 5?
    3. Is there any way to enable any kind of DNSSEC logging? Neither the event logs nor DNS debug logs are useful for determining why DNSSEC validation fails.


    • Edited by DrDave242 Friday, March 21, 2014 10:14 PM readability
    Friday, March 21, 2014 10:13 PM

All replies

  • Hello,

    Thank you for your question.

    I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

    Thank you for your understanding and support.

    Tuesday, March 25, 2014 7:23 AM
    Moderator
  • Hi,

    plesase refer to the technet article to get more infoamtion about it.

    Overview of DNSSEC

    http://technet.microsoft.com/en-us/library/jj200221.aspx

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, March 26, 2014 8:19 AM
  • Sorry I haven't responded - I ended up using kludgy workarounds to get enough information for the documentation I was writing. DNSSEC is still behaving strangely in my virtual environment, though. I referred extensively to that TechNet article and all of the other DNSSEC-related articles I could find while setting it up, but it just doesn't appear to be working like it should. For example, I have only one entry in the NRPT right now, and all it says is that DNSSEC validation is not required for any namespace. However, when clients query my DNS servers, packet captures show that the servers are still trying to perform validation, even for queries to internal zones that aren't signed at all.

    I would love to find some sort of tool that assists in troubleshooting DNSSEC in Windows. The event logs and debug logs are pretty useless in this regard, I have to say.

    Tuesday, April 22, 2014 9:01 PM
  • Hi,

    I am afraid I have to tell you that this question falls into the paid support category which requires a more in-depth level of support.  Please visit the below link to see the various paid support options that are available to better meet your needs. http://support.microsoft.com/default.aspx?id=fh;en-us;offerprophone

    Regards,

    Mike


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Wednesday, April 23, 2014 1:57 PM
  • OK, no problem. Since this is set up in a lab environment for my own use and I'm already done with the documentation mentioned above, I'm not going to worry about it. Thanks for taking a look, though!

    Wednesday, April 23, 2014 3:41 PM