DNSSEC on Windows 2008 R2

Beefing up DNS with DNSSEC is a very hot topic in the Netherlands. Our goverment has decided that all goverment domains must be secured per default and the Netherlands itself has the highest implementationrate of DNSSEC domains in the world, which is no small feat as the Dutch .NL extension is one of the most used country extensions on the planet. Being a Dutch TLD therefore made me look into getting this to work on Windows Server. Microsoft implemented DNSSEC in Windows 7 and Windows Server 2008 R2. So if you plan on using DNSSEC on windows based DNS servers your server must be R2. Fortunatly running dedicated DNS servers myself this was, where needed, an extremely simple migration involving a reinstall and a simple Batchjob to recreate the zones based on zone files. In this post I will talk about the steps needed to secure your DNS zone with DNSSEC on Windows Server 2008 R2.

Let’s get started with our first command;

Dnscmd /offlinesign /genkey /alg rsasha1 /Flags KSK /Length 2048 /zone example.org /SSCert /FriendlyName KSK-example.org

DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length 1024 /Zone example.org /SSCert /FriendlyName ZSK-example.org

After this is done Microsoft recommends you export the newly created cert using MMC, if you have multiple DNS servers (which you should) this is a requirement so I did. Our next command is used to create the zone file with the DNSSEC encryption;

Dnscmd.exe /offlinesign /signzone /input %windir%\System32\DNS\example.org.dns /output %windir%\System32\DNS\example.org.dnssec /zonename example.org /cert /friendlyname KSK-example.org /signkey /cert /friendlyname ZSK-example.org

What this step does is create a fully signed version of your zone file with all the RRSIG records already in place. Now we delete the old zone and remake it using the new .dnssec file

dnscmd /ZoneDelete example.org /f

dnscmd /zoneadd example.org /Primary /file example.org.dnssec

Note: You must run this command in the actual folder that contains the DNS file, by default this is %windir%\System32\dns

If you now open your DNS Manager you will see that the entire zone has been secured and key records have been created. You should now be ready to contact your registrar with your public keys.

Note: By default the KSK key is valid for over a year and the ZSK is valid for one month. This means that you will need to refresh your ZSK key every month or increase the time this key is valid.

Usefull links when trying to debug your DNSSEC deployment;

Sources: http://technet.microsoft.com/en-us/library/ee649268(v=ws.10)

Leave a Reply

Your email address will not be published. Required fields are marked *