none
DNSSEC Validation in Server 2012 R2 RRS feed

  • Question

  • Hello experts,

    I am trying to configure DNSSEC Validation on Server 2012 R2. I have already
    configure the trust point by using the command Dnscmd.exe /RetrieveRootTrustAnchors.
    However I am facing a wierd problem that is my server is a VPNserver and also acting
    as self-DNS for that I have my Primary DNS Server on NIC is an ip from the pool
    of IPs which I buyed from IANA. Users connected to my VPN Server and resolve names from
    my Primary DNS IP. Whenever I tried to dig DNSSEC records using cygwin on my server
    when the primary dns is set to the ip address from my pool the response on cygwin(Shell Emulator)
    doesn't show the AD flag in the response but when I changed the Primary DNS to google DNS
    the AD(Authenticated Data) flag shows up. Also the name resolution stops when the primary
    DNS is not set to google DNS Server(8.8.8.8).

    Any suggestions how to resolve this issue.

    Thanks
    Thursday, July 30, 2015 2:26 AM

Answers

  • Hi Frank,

    It depends the on the querying zone.

    If the zone is using DNSSEC, then the authoritative server for the zone would send the related to resources to you.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, August 7, 2015 1:28 AM
    Moderator

All replies

  • Hello experts,

    I am trying to configure DNSSEC Validation on Server 2012 R2. I have already
    configure the trust point by using the command Dnscmd.exe /RetrieveRootTrustAnchors.
    However I am facing a wierd problem that is my server is a VPNserver and also acting
    as self-DNS for that I have my Primary DNS Server on NIC is an ip from the pool
    of IPs which I buyed from IANA. Users connected to my VPN Server and resolve names from
    my Primary DNS IP. Whenever I tried to dig DNSSEC records using cygwin on my server
    when the primary dns is set to the ip address from my pool the response on cygwin(Shell Emulator)
    doesn't show the AD flag in the response but when I changed the Primary DNS to google DNS
    the AD(Authenticated Data) flag shows up. Also the name resolution stops when the primary
    DNS is not set to google DNS Server(8.8.8.8).

    Any suggestions how to reolve thi issue.

    Thanks
    Thursday, July 30, 2015 2:22 AM
  • Hello experts,

    I am trying to configure DNSSEC Validation on Server 2012 R2. I have already
    configure the trust point by using the command Dnscmd.exe /RetrieveRootTrustAnchors.
    However I am facing a wierd problem that is my server is a VPNserver and also acting
    as self-DNS for that I have my Primary DNS Server on NIC is an ip from the pool
    of IPs which I buyed from IANA. Users connected to my VPN Server and resolve names from
    my Primary DNS IP. Whenever I tried to dig DNSSEC records using cygwin on my server
    when the primary dns is set to the ip address from my pool the response on cygwin(Shell Emulator)
    doesn't show the AD flag in the response but when I changed the Primary DNS to google DNS
    the AD(Authenticated Data) flag shows up. Also the name resolution stops when the primary
    DNS is not set to google DNS Server(8.8.8.8).

    Any suggestions how to resolve this issue.

    Thanks
    Thursday, July 30, 2015 2:25 AM
  • Hi Frank,

    >>Whenever I tried to dig DNSSEC records using cygwin on my server when the primary dns is set to the ip address from my pool

    Which DNS server is it using, ISP or internal DNS server?

    VPN clients use the DNS server of VPN server. That means the responses are related to the DNS server.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, July 31, 2015 7:36 AM
    Moderator
  • Hello Leo,

    Actually I wasn't able to explain my scenario clearly in the question. The scenario is I have set up a DNSSEC recursive validation resolver using Windows server 2012 R2 DNS Server on which I have configured DNSSEC validation using the below command

    Dnscmd.exe /RetrieveRootTrustAnchors

    Now what happens is when I dig the records for e.g dig com @127.0.0.1 the reply I got doesn't have the ad flag in the response but when I enter the command dig com @127.0.0.1 +dnssec I got the ad bit in the response.

    Any idea why this is happening...???

    When I used the websites to test the dnssec validation it says My server doesn't validates

    Any clues....????

    Thanks

    Saturday, August 1, 2015 5:31 PM
  • Hello Leo,

    Actually I wasn't able to explain my scenario clearly in the question. The scenario is I have set up a DNSSEC recursive validation resolver using Windows server 2012 R2 DNS Server on which I have configured DNSSEC validation using the below command

    Dnscmd.exe /RetrieveRootTrustAnchors

    Now what happens is when I dig the records for e.g dig com @127.0.0.1 the reply I got doesn't have the ad flag in the response but when I enter the command dig com @127.0.0.1 +dnssec I got the ad bit in the response.

    Any idea why this is happening...???

    When I used the websites to test the dnssec validation it says My server doesn't validates

    Any clues....????

    Thanks

    Saturday, August 1, 2015 5:33 PM
  • Hi Frank,

    The AD bit is included in a DNS response and is an abbreviation for "authenticated data". If the AD bit is set (AD=1), then it means the DNS response is authentic because it was validated using DNSSEC.

    Since you entered +dnssec, the response would be validated using DNSSEC.

    Here is the reference for DNSSEC, it could help to understand the process of query:
    Overview of DNSSEC:
    https://technet.microsoft.com/en-us/library/jj200221.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Tuesday, August 4, 2015 7:22 AM
    Moderator
  • Hello

    Is it possible that when the clients query through my self dns caching server they get  they validated response...???

    Thanks

    Thursday, August 6, 2015 7:59 PM
  • Hi Frank,

    It depends the on the querying zone.

    If the zone is using DNSSEC, then the authoritative server for the zone would send the related to resources to you.

    Best Regards,

    Leo


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Friday, August 7, 2015 1:28 AM
    Moderator