none
dnssec

    Question

  • Hi all,

    DNSSEC is a new for me, i never used it before. We have currently a company.org one stored on a Windows 2003 Srv DNS. Now, we have to host a company.travel zone so a sTLD(sponsored Top-Level Domain).

    I think the best to install a new DNS server using W2k8 R2 and host the .travel zone on the new one using DNSSEC, having a sort of split between old DNS and new DNS.

    Does someone has any idea how to implement such infrastructure?

    On the Step-by-Step guide found on MS website is mentioned that one has to use IPSec, sign the zone and so on. To me is not clear if IPSec is compulsory or not and so far i didn't find any practical, non-theoretical, article on how to do this sort of implementation.

    Thank you very much for any idea/advice,

    Monday, August 13, 2012 2:10 PM

Answers

  • Hi Izogen,

    Thanks for posting here.

    These two are valid domain name for internal using . As you can see the propose we deploy DNSSEC is trying to protect DNS system form threatens like spoofing, man-in-the-middle and cache poisoning attacks. so I don’t see any particular reason we have to set DNSSEC with it unless we want to prevent the issues I mentioned and keep it more secure .

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, August 14, 2012 8:04 AM

All replies

  • Are you just playing in a lab or is there a good reason to implement DNSSEC?

    If you are doing it without a good purpose, I recommend you re-think this extra mgmt task + additional complexity for your environment.

    Anyway, here are a few links:

    http://technet.microsoft.com/en-us/video/dns-security-dnssec-overview.aspx

    http://technet.microsoft.com/en-us/library/ee649205%28v=ws.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc728328%28v=ws.10%29

    Monday, August 13, 2012 7:45 PM
  • Are you just playing in a lab or is there a good reason to implement DNSSEC?

    If you are doing it without a good purpose, I recommend you re-think this extra mgmt task + additional complexity for your environment.

    Anyway, here are a few links:

    http://technet.microsoft.com/en-us/video/dns-security-dnssec-overview.aspx

    http://technet.microsoft.com/en-us/library/ee649205%28v=ws.10%29.aspx

    http://technet.microsoft.com/en-us/library/cc728328%28v=ws.10%29

    No, we dont play, we must implement it! We've been told that a sTLD like .travel works only with DNSSEC. As i said, I am not  familiar with this and i am a bit confused about what we have to do with this.

    Thanks,

    Tuesday, August 14, 2012 6:19 AM
  • Hi Izogen,

    Thanks for posting here.

    > On the Step-by-Step guide found on MS website is mentioned that one has to use IPSec, sign the zone and so on. To me is not clear if IPSec is compulsory or not and so far i didn't find any practical, non-theoretical, article on how to do this sort of implementation.

    DNSSEC does not provide privacy or encryption of DNS data. IPsec rules can be used in coordination with DNSSEC configuration to provide this additional level of security. That’s the reason why we included this part in our guide, however we can of course set DNSSEC up without this setting but will have a potential  issue on security in future.

    In order to get a better understanding on DNSSEC before we deploy in production environment  , I ‘d suggest to start form the contents in the link below and take time to read it, especially the topic “Understanding DNSSEC in Windows” :

    Appendix A: Reviewing Key DNSSEC Concepts

    http://technet.microsoft.com/en-us/library/ee649254(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, August 14, 2012 7:31 AM
  • Hi Izogen,

    Thanks for posting here.

    > On the Step-by-Step guide found on MS website is mentioned that one has to use IPSec, sign the zone and so on. To me is not clear if IPSec is compulsory or not and so far i didn't find any practical, non-theoretical, article on how to do this sort of implementation.

    DNSSEC does not provide privacy or encryption of DNS data. IPsec rules can be used in coordination with DNSSEC configuration to provide this additional level of security. That’s the reason why we included this part in our guide, however we can of course set DNSSEC up without this setting but will have a potential  issue on security in future.

    In order to get a better understanding on DNSSEC before we deploy in production environment  , I ‘d suggest to start form the contents in the link below and take time to read it, especially the topic “Understanding DNSSEC in Windows” :

    Appendix A: Reviewing Key DNSSEC Concepts

    http://technet.microsoft.com/en-us/library/ee649254(WS.10).aspx

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Ok, let me put my question in another words: do i need to implement DNSSEC in order to have a domain zone like company.travel or company.museum hosted on one of our servers? As you can see they are with .travel or .museum(sTLD)

    Thanks,

    Tuesday, August 14, 2012 7:56 AM
  • Hi Izogen,

    Thanks for posting here.

    These two are valid domain name for internal using . As you can see the propose we deploy DNSSEC is trying to protect DNS system form threatens like spoofing, man-in-the-middle and cache poisoning attacks. so I don’t see any particular reason we have to set DNSSEC with it unless we want to prevent the issues I mentioned and keep it more secure .

    Thanks.

    Tiger Li


    Tiger Li

    TechNet Community Support

    Tuesday, August 14, 2012 8:04 AM