none
DNSSEC private key storage on windows 2012

    Question

  • Hello,

    where exactly are the PRIVATE keys for DNSSEC stored on Windows 2012? This apparently changed since 2008 R2, so would you please add this info at least here?

    a) if the DNS server is running on an AD DC and the keys are configured to be stored and replicated in AD, which object actually holds the private keys?

    b) if the DNS server is just a standalone nonDC server, where does it stores the private keys locally?

    ondrej.

    Wednesday, December 10, 2014 12:08 PM

Answers

  • regarding the protection, there is no particular protection applied to the dnsZone object and its msDNS-xxx attributes, because the protection lies on the KDS master keys in the form of CONFIDENTIAL and RODC_FILTERED searchFlags.

    ondrej.

    Monday, December 29, 2014 12:21 PM
  • no, it didn't, but I am currently in the process of my own investigation into this and I will also post the results kind of soon. Basically, the signing keys are protected by the Key Distribution Service (kdssvc) and stored probably in the msDNS-SigningKeys attribute in the dnsZone object in its respective DNS application partition.

    The protection applied is either for DOMAIN\Domain Controllers group if the zone is stored in the DC=DomainDnsZones application partition, or the keys are protected for the BUILTIN\Enterprise Domain Controllers "group" in case the zone data is stored in the forest wide DC=ForestDnsZones application directory partition.

    Ondrej.

    Monday, December 29, 2014 12:19 PM

All replies

  • Hi Ondrej,

    a)if the DNS server is running on an AD DC and the keys are configured to be stored and replicated in AD, which object actually holds the private keys?

    Under this circumstance, private key is stored in Active Directory, in other words, it is stored on all writable Domain Controllers’ (which with AD-integrated DNS installed) AD Database (NTDS folder).

    b) if the DNS server is just a standalone non-DC server, where does it stores the private keys locally?

    In local computer certificate store, in the MS-DNSSEC container.

    More information for you:

    DNS Servers

    http://technet.microsoft.com/en-us/library/dn593674.aspx

    Generate Key Pairs

    http://technet.microsoft.com/en-us/library/ee649204(v=WS.10).aspx

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, December 11, 2014 4:24 AM
    Moderator
  • hello, thanks for the info. The important point for me is where exactly are the keys stored in AD. That is precisely the information which is missing. I suspect it must be somewhere in the attributes of the DNS application partition which stores the zone data as well, but where exactly?

    ondrej.

    Thursday, December 11, 2014 7:47 AM
  • Hi Ondrej,

    I didn’t find the location of private keys, from my point of view, I don’t think that there is a specific physical/logical path published where private keys are stored.

    Due to security requirements of private keys, they are not supposed to be exposed; otherwise, private keys would be very easy to retrieve for attackers.

    (Adding: Sorry for the mis-clicking :). )

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, December 15, 2014 9:28 AM
    Moderator
  • exactly, they are not supposed to be exposed, so I am just curious where in AD they are stored so that I can see how well protected they are :-) Might be a good example of a confidential attribute or even something else. O.
    Monday, December 15, 2014 9:59 AM
  • Hi Ondrej,

    At this moment, I still didn’t find any document which indicates the store location of private keys for DNSSec.

    However, I could involve someone to perform further research on this if you’d like.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Sunday, December 21, 2014 9:32 AM
    Moderator
  • Hi Ondrej,

    Based on your description, the below information could help you on this.

    The DNS server command-line management tool (Dnscmd.exe) offers offline key generation and zone-signing capability through a signing tool.  RSA/SHA-1 is the supported algorithm. Supported key lengths are from 512 bits to 4096 bits.

    The signing tool generates keys that will be stored in certificates, an example of which would be a self-signed certificate in the computer store.

    In order to sign a zone, the zone data from a file-backed or an Active Directory-integrated zone must be copied to a temporary file.  The zone signing tool consumes this file as the input and generates a signed zone file as the output.  The signed zone file contains the additional RRSIG, DNSKEY, DS, and NSEC resource records for data in the zone.  This signed zone must then be reloaded on the DNS server in order for the server to host the zone. You can reload the signed zone by using Dnscmd.exe or DNS Manager.

    The zone signing tool also allows for key rollover either by pre-publishing keys or by generating two sets of signatures (one for the key being retired, one for the new key).

    Dynamic updates are automatically disabled on a DNSSEC-signed zone.  Windows Server® 2008 R2 DNS server supports the signing of static zones only.  You must use Dnscmd.exe or DNS Manager to add more resource records to a zone and the zone must be re-signed.

    Understanding DNSSEC in Windows

    http://technet.microsoft.com/en-us/library/ee649277(v=ws.10).aspx

    Thank you.

    Best regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Monday, December 22, 2014 12:53 PM
  • Hi Ondrej,

    Hope you are doing well!

    Would you please let met know if the previous information could help you on this?

    Thank you. Have a nice day!

    Regards,

    Steven Song


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Thursday, December 25, 2014 7:04 AM
  • no, it didn't, but I am currently in the process of my own investigation into this and I will also post the results kind of soon. Basically, the signing keys are protected by the Key Distribution Service (kdssvc) and stored probably in the msDNS-SigningKeys attribute in the dnsZone object in its respective DNS application partition.

    The protection applied is either for DOMAIN\Domain Controllers group if the zone is stored in the DC=DomainDnsZones application partition, or the keys are protected for the BUILTIN\Enterprise Domain Controllers "group" in case the zone data is stored in the forest wide DC=ForestDnsZones application directory partition.

    Ondrej.

    Monday, December 29, 2014 12:19 PM
  • regarding the protection, there is no particular protection applied to the dnsZone object and its msDNS-xxx attributes, because the protection lies on the KDS master keys in the form of CONFIDENTIAL and RODC_FILTERED searchFlags.

    ondrej.

    Monday, December 29, 2014 12:21 PM