Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Slides:

Advertisements

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

Advertisements

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Auditing Microsoft Active Directory

Agenda AD to Windows Azure AD Sync Options Federation Architecture

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

IP ADDRESS MANAGEMENT [IPAM]

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

Implementing Domain Name System

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Changes to DNS in Windows Server 2003 By David Pracht.

Domain Name Services Oakton Community College CIS 238.

Understanding Active Directory

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Network discovery Multi- server mgmt (MSM) Visibility & audit.. Automatic discovery of DC, DHCP and DNS servers, and dynamic IP addresses.

Overview of Active Directory Domain Services Lesson 1.

Overview of Active Directory Domain Services Lesson 1.

Chapter 12: Additional Active Directory Server Roles

IT:Network:Microsoft Server 2 Chapter 27 WINDOWS SERVER UPDATE SERVICES.

Software Pieces for the DNSSEC-deployment roadmap SPARTA, Inc. 01/21/05.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 7: Domain Name System.

Olaf M. Kolkman. Domain Pulse, February 2005, Vienna. DNSSEC Basics, Risks and Benefits Olaf M. Kolkman

Chapter 6: Windows Servers

© 2015 ISC November 2013 Sunset for the DLV?. © 2015 ISC Background (c) Interested

DNS Zones. DNS records kept in zones DNS server is authoritative for a domain if it hosts the zone for that domain Sub-domains can be kept in same zone.

Secured Dynamic Updates. Caution Portions of this slide set present features that do not appear in BIND until BIND 9.3 –Snapshot code is available for.

© Afilias Limitedwww.afilias.info SM Deploying DNSSEC Ram Mohan.

Krit Witwiyaruj Thai Name Server Co., Ltd.th DNSSEC Implementation.

Olaf M. Kolkman. Apricot 2005, February 2005, Kyoto. DNSSEC An Update Olaf M. Kolkman

BASIC FUNCTIONALITY. Page 2 Agenda Main topics Policy Manager Communication Understanding communication Information flow Communication modules F-Secure.

Root Zone KSK: The Road Ahead Edward Lewis | DNS-OARC & RIPE DNSWG | May 2015

1 Windows 2008 Configuring Server Roles and Services.

Module 11: Read-Only Domain Controllers. Overview Describe the Read-Only Domain Controllers role Use Read-Only Domain Controllers.

DNSSEC deployment in NZ Andy Linton

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License Practicalities.

DNSSEC-Deployment.org Secure Naming Infrastructure Pilot (SNIP) A.gov Community Pilot for DNSSEC Deployment JointTechs Workshop July 18, 2007 Scott Rose.

Module 12 Integrating Exchange Server 2010 with Other Messaging Systems.

1 DNSSEC Transforming a protocol bug into an admin tool Lutz Donnerhacke db089309: 1c1c 6311 ef09 d819 e029 65be bfb6 c9cb.

AU, March 2, DNSSEC, APNIC, & how EPP might play a Role Ed Lewis DNS SIG APNIC 21.

1 Discussion of the new DNS generation system DNS Operations SIG APNIC 18 2nd September 2004, Fiji.

DNS DNS overview DNS operation DNS zones. DNS Overview Name to IP address lookup service based on Domain Names Some DNS servers hold name and address.

Introduction to Active Directory

Building Trust with Anchors Eric Osterweil Dan Massey Lixia Zhang 1.

The Hierarchical Trust Model. PGP Certificate Server details Fast, efficient key repository –LDAP, HTTP interfaces Secure remote administration –“Pending”

Active Directory design recommended practices Mark Cribben Consultant.

Ch 6: DNSSEC and Beyond Updated DNSSEC Objectives of DNSSEC Data origin authentication – Assurance that the requested data came from the genuine.

Module 8: Planning for Windows Server 2008 Active Directory Services.

Labs. Session 1 Lab 1: Designing an Active Directory Forest Infrastructure in Windows Server 2008 Exercise 1: Designing an Active Directory Forest Exercise.

DNS Cache Poisoning (pretending to be the authoritative zone) ns.example.co m Webserver ( ) DNS Caching Server Client I want to access

DRAFT STEP-BY-STEP DNS SECURITY ILLUSTRATIVE GUIDE Version 0.2 Sparta, Inc Samuel Morse Dr. Columbia MD Ph:

MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.

What's so hard about DNSSEC? Paul Ebersman – May 2016 RIPE72 – Copenhagen 1.

Overview of Active Directory Domain Services Lesson 1.

Using Digital Signature with DNS. DNS structure Virtually every application uses the Domain Name System (DNS). DNS database maps: –Name to IP address.

Architecting Enterprise Workloads on AWS Mike Pfeiffer.

KSK Rollover Update David Conrad, CTO ICANN 59 – GAC 29 June 2017.

Implementing Active Directory Domain Services

Microsoft Braindumps Questions Answers

A Longitudinal, End-to-End View of the DNSSEC Ecosystem

CIS 409 RANK Education for Service-- cis409rank.com.

Managing Name Resolution

05 | AD to Windows Azure AD IT Professionals

DNSSEC & KSK Rollover Patrick Jones Middle East DNS Forum & APTLD 75

.uk DNSSEC Status update

Presentation transcript:

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation

OverviewDeployment Operations New in DNS

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

 Latest RFCs  NSEC3 Support  RSA/SHA-2, ECDSA Signing  Automated Trust Anchor rollover  Support for 3 rd Party Key Mgmt ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

 Active Directory Integrated  Support for dynamic updates  Preserving the multi-master DNS model  Leverage AD for secure key distribution and Trust Anchor distribution  Improve DNS/DNSSEC server performance ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

 Automated re-signing on static and dynamic updates  Automated key rollovers  Automated signature refresh  Automated updating of secure delegations  Automated distribution and updating of Trust Anchors ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

Active Directory integrated zone Classic multi-master deployment Hosted on five DNS servers that are also domain controllers OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

Single location for all key generation and management Responsible for automated key rollover Administrator designates one server to be the key master First DNSSEC server becomes KM OverviewDeployment OperationsNew in DNS

Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Server 2012 DCs will sign their copy of the zone OverviewDeployment OperationsNew in DNS

1. Client sends dynamic update to any authoritative DNS server 2. That DNS server updates its own copy of the zone and generates signatures 3. The unsigned update is replicated to all other authoritative servers 4. Each DNS server adds the update to its copy of the zone and generates signatures OverviewDeployment OperationsNew in DNS

Signing a zone Demo

Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor maintenance Trust Anchor updates are automatically replicated via AD to all servers in the forest Automated Trust Anchor rollover is used to keep TAs up to date OverviewDeployment OperationsNew in DNS

KSK contoso.com ZSK1 OverviewDeployment OperationsNew in DNS ZSK2 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

KSK OverviewDeployment OperationsNew in DNS ZSK2 contoso.com ZSK1 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Automated key rollovers Key rollover frequency is configured per zone Key master automatically generates new keys and replicates via AD Zone owners rollover keys and re-signs the zone Secure delegations from the parent are also automatically updated (within the same forest) OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS

OverviewDeployment OperationsNew in DNS