February 16, 2012 archive

Want to Deploy DNSSEC on Microsoft Windows 7 or Server 2008 R2?

MS DNSSEC Deployment GuideDo you operate a Microsoft Windows server infrastructure and would like to know how to implement DNSSEC? If so, Microsoft published a “DNSSEC Deployment Guide” to help administrators of Windows Server 2008 R2 and Windows 7 systems.

The comprehensive document explains what DNSSEC is all about, walks step-by-step through each process and also provides easy checklists to use as a reference during deployment and ongoing operation.

I no longer administer Windows Servers so can’t personally attest to the usefulness of the guide.  In reading through it, my initial reaction is that there seems to be very little GUI management of DNSSEC. Most of the administration seems to involve use of the ‘dnscmd’ command-line tool.  While that’s perfectly fine by me, given that I’ve a big command-line fan, I suspect that many regular Windows administrators may wish they could execute these commands through one of the administration tools Microsoft provides. The document also was last updated in March 2010 and thus pre-dates the signing of the root in July 2010. With the root signed, the section on distributing trust anchors may no longer be quite as applicable.

Regardless, this appears to be the most recent document provided by Microsoft and so if you have a Windows-based server infrastructure you may want to check it out.  I’d note that this document only applies to Windows Server 2008 R2 and Windows 7.  Earlier versions of Windows Server had much more limited support for DNSSEC.

If you are a Windows administrator, what do you think?  Is this document helpful? Useful?  What could Microsoft do to make DNSSEC deployment easier on Windows Server 2008 R2 or Windows 7?

3 IETF Mailing Lists To Follow For Monitoring DNSSEC

Would you like to monitor the ongoing evolution of IETF standards related to DNSSEC?  If so, here are 3 IETF working group mailing lists you may consider joining.  All lists are open to anyone to join.  Do note that several of these can have a very large amount of traffic.  Each of the mailing list pages also contains a link to the mailing list public archives if you would like to see what is going on in the lists prior to (or instead of) subscribing.

  • dnsext mailing listdnsext charter

    The DNS has a large installed base and repertoire of protocol specifications. The DNSEXT working group will actively advance DNS protocol-related RFCs on the standards track while thoroughly reviewing further proposed extensions. The scope of the DNSEXT WG is confined to the DNS protocol, particularly changes that affect DNS protocols “on the wire” or the internal processing of DNS data. DNS operations are out of scope for the WG.

  • dnsop mailing listdnsop charter

    The DNS Operations Working Group will develop guidelines for the operation of DNS software servers and the administration of DNS zone files. These guidelines will provide technical information relating to the implementation of the DNS protocol by the operators and administrators of DNS zones

  • dane mailing listDANE charter

    The DNS-based Authentication of Named Entities (dane) working group will specify mechanisms and techniques that allow Internet applications to establish cryptographically secured communications by using information distributed through DNSSEC for discovering and authenticating public keys which are associated with a service located at a domain name.

    For more information about the DANE working group, see the article in the October 2011 IETF Journal: “DANE: Taking TLS Authentication to the Next Level Using DNSSEC