Presentation is loading. Please wait.

Presentation is loading. Please wait.

Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation.

Published byAmani Lief Modified over 9 years ago

Similar presentations

Presentation on theme: "Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation."— Presentation transcript:

1 Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation

2 OverviewDeployment Operations New in DNS

3 OverviewDeployment OperationsNew in DNS

4 OverviewDeployment OperationsNew in DNS

5  Latest RFCs  NSEC3 Support  RSA/SHA-2, ECDSA Signing  Automated Trust Anchor rollover  Support for 3 rd Party Key Mgmt ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

6  Active Directory Integrated  Support for dynamic updates  Preserving the multi-master DNS model  Leverage AD for secure key distribution and Trust Anchor distribution  Improve DNS/DNSSEC server performance ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

7 ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

8  Automated re-signing on static and dynamic updates  Automated key rollovers  Automated signature refresh  Automated updating of secure delegations  Automated distribution and updating of Trust Anchors ENABLING ENTERPRISE DNSSEC ROLLOUT OverviewDeployment OperationsNew in DNS

9 Active Directory integrated zone Classic multi-master deployment Hosted on five DNS servers that are also domain controllers OverviewDeployment OperationsNew in DNS

10 OverviewDeployment OperationsNew in DNS

11 Single location for all key generation and management Responsible for automated key rollover Administrator designates one server to be the key master First DNSSEC server becomes KM OverviewDeployment OperationsNew in DNS

12 Private zone signing keys replicate automatically to all DCs hosting the zone through AD replication Each zone owner signs its own copy of the zone when it receives the key Only Server 2012 DCs will sign their copy of the zone OverviewDeployment OperationsNew in DNS

13 1. Client sends dynamic update to any authoritative DNS server 2. That DNS server updates its own copy of the zone and generates signatures 3. The unsigned update is replicated to all other authoritative servers 4. Each DNS server adds the update to its copy of the zone and generates signatures OverviewDeployment OperationsNew in DNS

14 Signing a zone Demo

15 Trust Anchor Distribution Trust Anchors replicate to all DNS servers that are DCs in the forest via AD Distribution of TAs to servers not a domain controller in the forest is manual via PowerShell or DNS Manager Trust Anchor maintenance Trust Anchor updates are automatically replicated via AD to all servers in the forest Automated Trust Anchor rollover is used to keep TAs up to date OverviewDeployment OperationsNew in DNS

16 KSK contoso.com ZSK1 OverviewDeployment OperationsNew in DNS ZSK2 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

17 KSK OverviewDeployment OperationsNew in DNS ZSK2 contoso.com ZSK1 Initial Insert new Key Replicate Resign w/ new Key Remove old Key

18 Signatures stay up-to-date New records are signed automatically when zone data changes Static and dynamic updates NSEC records are kept up to date Automated key rollovers Key rollover frequency is configured per zone Key master automatically generates new keys and replicates via AD Zone owners rollover keys and re-signs the zone Secure delegations from the parent are also automatically updated (within the same forest) OverviewDeployment OperationsNew in DNS

19 OverviewDeployment OperationsNew in DNS

20 OverviewDeployment OperationsNew in DNS

21 OverviewDeployment OperationsNew in DNS

22 OverviewDeployment OperationsNew in DNS

23

Download ppt "Deploying DNSSEC in Windows Server 2012 David Cates Platform Services Group Microsoft Corporation."

Similar presentations

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.

DNSSEC in Windows Server. DNS Server changes Provide DNSSEC support in the DNS server – Changes should allow federal agencies to comply with SC-20 and.
Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.

Practical Considerations for DNSSEC Automation Joe Gersch OARC Presentation September 24, 2008.
Auditing Microsoft Active Directory

Auditing Microsoft Active Directory
Agenda AD to Windows Azure AD Sync Options Federation Architecture

Agenda AD to Windows Azure AD Sync Options Federation Architecture
© 2006-2012 NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.

© NLnet Labs, Licensed under a Creative Commons Attribution 3.0 Unported License.Creative Commons Attribution 3.0 Unported License DNSSEC ROLLING.
IP ADDRESS MANAGEMENT [IPAM]

IP ADDRESS MANAGEMENT [IPAM]
Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.

Sergei Komarov. DNS  Mechanism for IP hostname resolution  Globally distributed database  Hierarchical structure  Comprised of three components.
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.

DNSSEC Brought to you by ISC-BIND, SUNYCT, and: Nick Merante – SUNYIT Comp Sci SysAdmin Nick Gasparovich – SUNYIT Campus SysAdmin Paul Brennan – SUNYIT.
Implementing Domain Name System

Implementing Domain Name System
1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 SecSpider: Distributed DNSSEC Monitoring Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.

1 The State and Challenges of the DNSSEC Deployment Eric Osterweil Michael Ryan Dan Massey Lixia Zhang.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Changes to DNS in Windows Server 2003 By David Pracht.

Changes to DNS in Windows Server 2003 By David Pracht.
Domain Name Services Oakton Community College CIS 238.

Domain Name Services Oakton Community College CIS 238.
Understanding Active Directory

Understanding Active Directory
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.

Deploying DNSSEC in Windows Server 2012 Rob Kuehfus Program Manager Microsoft Corporation WSV325.
DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

DNS operator/registrar changes toolkit of actions Steve Crocker Ólafur Guðmundsson Shinkuro 2011/03/26.

Similar presentations

Ads by Google