none
DNSSEC deployment

    Question

  • Hi Experts,

    Currently we are in the process of deploying Win2k12 member server's in our infrastructure and our current FF & DF are in Win2k8 R2.

    So I have few questions on DNSSEC deployment on Windows Server 2012 member server.

    1) Is it OK to enable DNSSEC on DNS servers (non Active directory integrated zones) that is running Windows server 2012 ?

    or

    2) Do we really need to enable this DNSSEC within our internal network (within the organization)? 

    3) What are the drawbacks of configuring DNSSEC?. I'm aware of packet size increase..

    4) If we enable DNSSEC on non ad integrated zones whether Windos XP will be able to resolve A records ?

    5) If we enable DNSSEC, do we need special tool's or commands for troubleshooting DNSSEC issues. 

    Regards, Nidhin.CK

    • Moved by Bill_Stewart Monday, August 19, 2013 2:30 PM Move to more appropriate forum
    Monday, August 19, 2013 9:07 AM

Answers

  • Hi,

    1.You can enable DNSSEC on windows server 2012. And there is something new in windows server 2012, for more information:

    What's New in DNS Server in Windows Server 2012

    http://technet.microsoft.com/en-US/library/dn305897.aspx

    2.It is important to enable DNSSEC for security consideration. Of all malicious attacks, DNS is most vulnerable to spoofing.

    Of course, enable it or not, according to your own security requirement.

    3. Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported.

    4. The DNS client does not read and store a key for the trusted zone and, consequently, it does not perform any cryptography, authentication, or verification. When a resolver initiates a DNS query and the response contains DNSSEC resource records, programs running on the DNS client will return these records and cache them in the same manner as any other resource records. This is the extent to which Windows XP DNS clients support DNSSEC.

    5. The windows server 2012 supported PowerShell which you can use to manage DNS.

    For more information you can refer to

    Secure DNS Deployment Guide

    http://technet.microsoft.com/en-us/library/ee649266(v=ws.10).aspx

    Hope this helps

    Tuesday, August 20, 2013 9:21 AM
    Moderator

All replies

  • Please post networking questions in the Window Networking forum.  This forum is for Administrative scripting only.

    ¯\_(ツ)_/¯

    Monday, August 19, 2013 2:50 PM
  • I think Im on right forum "Platform Networking". if no, please help me to move this to correct forum 

    Regards, Nidhin.CK

    Monday, August 19, 2013 6:55 PM
  • I think Im on right forum "Platform Networking". if no, please help me to move this to correct forum 

    Regards, Nidhin.CK


    Your question initially showed on the scripting forum.  It is correct now.

    ¯\_(ツ)_/¯

    Monday, August 19, 2013 7:10 PM
  • Hi,

    1.You can enable DNSSEC on windows server 2012. And there is something new in windows server 2012, for more information:

    What's New in DNS Server in Windows Server 2012

    http://technet.microsoft.com/en-US/library/dn305897.aspx

    2.It is important to enable DNSSEC for security consideration. Of all malicious attacks, DNS is most vulnerable to spoofing.

    Of course, enable it or not, according to your own security requirement.

    3. Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported.

    4. The DNS client does not read and store a key for the trusted zone and, consequently, it does not perform any cryptography, authentication, or verification. When a resolver initiates a DNS query and the response contains DNSSEC resource records, programs running on the DNS client will return these records and cache them in the same manner as any other resource records. This is the extent to which Windows XP DNS clients support DNSSEC.

    5. The windows server 2012 supported PowerShell which you can use to manage DNS.

    For more information you can refer to

    Secure DNS Deployment Guide

    http://technet.microsoft.com/en-us/library/ee649266(v=ws.10).aspx

    Hope this helps

    Tuesday, August 20, 2013 9:21 AM
    Moderator