CircleID

I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post [Swedish], I had a dialogue with Microsoft, but during the last months there has been no word at all.

The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. Since my initial post, Microsoft have updated their guide on how to activate the signing and validation of DNSSEC.

The document, "DNS_SVR2008R2_DNSSEC.doc", has now expanded from 30 pages to 80 pages — but this newer, more comprehensive version, hasn't made it any easier to configure their product, as you all can imagine. With this said, it is important to point out that there are other systems out on the market that handle DNSSEC in a good and user friendly way — and I really think Microsoft should be amongst them!

My view on requirements for the use of Microsoft's DNS with DNSSEC:

A functional GUI!

Today Microsoft uses only a command-line based system were the commands in turn uses many complex parameters. A Windows administrator in general is most familiar with things like "right click-> Properties-> sign domain" or "right click-> Properties-> DNSSEC settings". If we compare the handling in Windows with the most common used open source products, the latter is much easier to use.

Distribution of Trust Anchors!

I strongly suggest that Microsoft uses Windows Update for the handling of Trust Anchor, since the interface in the DNS-manager is nothing short of horrible.

There are some third party products on the market that solve some of the problems with the distribution of Trust Anchors and GUI, but how many users understand or accept that they must invest in, and use, a third party solution?

Support for NSEC3!

There is only support for NSEC and no support for signing and validating NSEC3 in Microsoft's products. Almost all new TLD's uses NSEC3 and with Microsoft's DNS we cannot validate these TLD's . How will Microsoft act here? On page 60 in "DNS_SVR2008R2_DNSSEC.doc" they state what can and cannot be done with NSEC3. Therefore it seems that they have support for NSEC3 — but the simple fact is that they have not!

In one of the responses to my earlier questions Microsoft said that the NSEC3 standard was completed too late in order to be implemented in Server 2008 R2. This gives an indication of the sometimes superior speed that open source programs offer. Many of the DNS appliances use BIND/NSD/Unbound and can therefore easily implement NSEC3 since these platforms have had that support for a long time.

But a solution might be on its way. I have, from an undisclosed sources, heard rumors that Microsoft will support RSA/SHA256 in an upcoming service pack/update/version and if so they will be able to support NSEC3 at the same time!

Workarounds for validation!

Microsoft has, from a simplified point of view, two server platforms, Windows Server 2008 and Small Business Server 2008. The DNS servers in both platforms uses default root hints and a DNS-forwarder towards a DNS of your choice via configuration and can therefore easily obtain validation via DNSSEC.

For example: Microsoft DNS — > validating DNS — -> Internet

The validating DNS can be an internal DNS or your ISP's DNS. You can easily test if a DNS validate DNSSEC by check the status at test.ipv6.tk. Remember that you have to change your computers DNS to the DNS you want to test.

Signing dynamic zones!

If Microsoft reworks and updates their DNSSEC implementation according to my ideas, it is also possible that they will not only support the signing of static offline zones. They should also support the signing of dynamic zones. That is for example handle zones generated on AD-data and dynamic addresses. This should be most welcomed but I also believe that the internal zones inside the domain needs to be secured towards the internal clients!

Future Internet

There are two things on the Internet today which I think are most important to the continued development of a secure, stable and scalable Internet; One is DNSSEC, where Microsoft today (unfortunately) simply can't match my expectations and need and competition from other products. The second is IPv6, where Microsoft on the other hand offers the, by far, best support for IPv6 in all available operating systems!

My thoughts can be summarized in one question: -Will Microsoft settle for only half of the solution?

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Related topics: DNS, DNSSEC, Security