Home / Blogs

DNSSEC: Will Microsoft Have Enough Time?

Torbjörn Eklöv

I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post [Swedish], I had a dialogue with Microsoft, but during the last months there has been no word at all.

The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. Since my initial post, Microsoft have updated their guide on how to activate the signing and validation of DNSSEC.

The document, "DNS_SVR2008R2_DNSSEC.doc", has now expanded from 30 pages to 80 pages — but this newer, more comprehensive version, hasn't made it any easier to configure their product, as you all can imagine. With this said, it is important to point out that there are other systems out on the market that handle DNSSEC in a good and user friendly way — and I really think Microsoft should be amongst them!

My view on requirements for the use of Microsoft's DNS with DNSSEC:

A functional GUI!

Today Microsoft uses only a command-line based system were the commands in turn uses many complex parameters. A Windows administrator in general is most familiar with things like "right click-> Properties-> sign domain" or "right click-> Properties-> DNSSEC settings". If we compare the handling in Windows with the most common used open source products, the latter is much easier to use.

Distribution of Trust Anchors!

I strongly suggest that Microsoft uses Windows Update for the handling of Trust Anchor, since the interface in the DNS-manager is nothing short of horrible.

There are some third party products on the market that solve some of the problems with the distribution of Trust Anchors and GUI, but how many users understand or accept that they must invest in, and use, a third party solution?

Support for NSEC3!

There is only support for NSEC and no support for signing and validating NSEC3 in Microsoft's products. Almost all new TLD's uses NSEC3 and with Microsoft's DNS we cannot validate these TLD's . How will Microsoft act here? On page 60 in "DNS_SVR2008R2_DNSSEC.doc" they state what can and cannot be done with NSEC3. Therefore it seems that they have support for NSEC3 — but the simple fact is that they have not!

In one of the responses to my earlier questions Microsoft said that the NSEC3 standard was completed too late in order to be implemented in Server 2008 R2. This gives an indication of the sometimes superior speed that open source programs offer. Many of the DNS appliances use BIND/NSD/Unbound and can therefore easily implement NSEC3 since these platforms have had that support for a long time.

But a solution might be on its way. I have, from an undisclosed sources, heard rumors that Microsoft will support RSA/SHA256 in an upcoming service pack/update/version and if so they will be able to support NSEC3 at the same time!

Workarounds for validation!

Microsoft has, from a simplified point of view, two server platforms, Windows Server 2008 and Small Business Server 2008. The DNS servers in both platforms uses default root hints and a DNS-forwarder towards a DNS of your choice via configuration and can therefore easily obtain validation via DNSSEC.

For example: Microsoft DNS — > validating DNS — -> Internet

The validating DNS can be an internal DNS or your ISP's DNS. You can easily test if a DNS validate DNSSEC by check the status at test.ipv6.tk. Remember that you have to change your computers DNS to the DNS you want to test.

Signing dynamic zones!

If Microsoft reworks and updates their DNSSEC implementation according to my ideas, it is also possible that they will not only support the signing of static offline zones. They should also support the signing of dynamic zones. That is for example handle zones generated on AD-data and dynamic addresses. This should be most welcomed but I also believe that the internal zones inside the domain needs to be secured towards the internal clients!

Future Internet

There are two things on the Internet today which I think are most important to the continued development of a secure, stable and scalable Internet; One is DNSSEC, where Microsoft today (unfortunately) simply can't match my expectations and need and competition from other products. The second is IPv6, where Microsoft on the other hand offers the, by far, best support for IPv6 in all available operating systems!

My thoughts can be summarized in one question: -Will Microsoft settle for only half of the solution?

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Related topics: DNS, DNS Security, Security

WEEKLY WRAP — Get CircleID's Weekly Summary Report by Email:


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Industry Updates – Sponsored Posts

Verisign Q1 2016 DDoS Trends: Attack Activity Increases 111 Percent Year Over Year

Is Your TLD Threat Mitigation Strategy up to Scratch?

Domain Management Handbook from MarkMonitor

i2Coalition to Host First Ever Smarter Internet Forum

Encrypting Inbound and Outbound Email Connections with PowerMTA

Resilient Cybersecurity: Dealing with On-Premise, Cloud-Based and Hybrid Security Complexities

What Holds Firms Back from Choosing Cloud-Based External DNS?

Verisign Releases Q4 2015 DDoS Trends - DDoS Attack Activity Increasing by 85% Year Over Year

Best Practices from Verizon - Proactively Mitigating Emerging Fraudulent Activities

Neustar Data Identifies Most Popular Times of Year for DDoS Attacks in 2015

The Framework for Resilient Cybersecurity (Webinar)

Data Volumes and Network Stress to Be Top IoT Concerns

DKIM for ESPs: The Struggle of Living Up to the Ideal

Computerworld Names Afilias' Ram Mohan a Premier 100 Technology Leader

Verisign Mitigates More Attack Activity in Q3 2015 Than Any Other Quarter During Last Two Years

Protect Your Privacy - Opt Out of Public DNS Data Collection

Verisign & Forrester Webinar: Defending Against Cyber Threats in Complex Hybrid-Cloud Environments

Measuring DNS Performance for the User Experience

Introducing Verisign Public DNS: A Free Recursive DNS Service That Respects Your Privacy

Faster DDoS Mitigation - Introducing Verisign OpenHybrid Customer Activated Mitigation

Sponsored Topics



Sponsored by

DNS Security

Sponsored by


Sponsored by
Afilias - Mobile & Web Services


Sponsored by
Afilias - Mobile & Web Services