Home / Blogs

DNSSEC: Will Microsoft Have Enough Time?

Torbjörn Eklöv

I have previously pointed out the shortcomings of good and user friendly support for DNSSEC in Microsoft's Server 2008 R2. During the period just after I wrote the post [Swedish], I had a dialogue with Microsoft, but during the last months there has been no word at all.

The reason I bring this up again is that more and more Top Level Domains (TLDs) now enable DNSSEC and also the fact that within six months the root will be signed. Since my initial post, Microsoft have updated their guide on how to activate the signing and validation of DNSSEC.

The document, "DNS_SVR2008R2_DNSSEC.doc", has now expanded from 30 pages to 80 pages — but this newer, more comprehensive version, hasn't made it any easier to configure their product, as you all can imagine. With this said, it is important to point out that there are other systems out on the market that handle DNSSEC in a good and user friendly way — and I really think Microsoft should be amongst them!

My view on requirements for the use of Microsoft's DNS with DNSSEC:

A functional GUI!

Today Microsoft uses only a command-line based system were the commands in turn uses many complex parameters. A Windows administrator in general is most familiar with things like "right click-> Properties-> sign domain" or "right click-> Properties-> DNSSEC settings". If we compare the handling in Windows with the most common used open source products, the latter is much easier to use.

Distribution of Trust Anchors!

I strongly suggest that Microsoft uses Windows Update for the handling of Trust Anchor, since the interface in the DNS-manager is nothing short of horrible.

There are some third party products on the market that solve some of the problems with the distribution of Trust Anchors and GUI, but how many users understand or accept that they must invest in, and use, a third party solution?

Support for NSEC3!

There is only support for NSEC and no support for signing and validating NSEC3 in Microsoft's products. Almost all new TLD's uses NSEC3 and with Microsoft's DNS we cannot validate these TLD's . How will Microsoft act here? On page 60 in "DNS_SVR2008R2_DNSSEC.doc" they state what can and cannot be done with NSEC3. Therefore it seems that they have support for NSEC3 — but the simple fact is that they have not!

In one of the responses to my earlier questions Microsoft said that the NSEC3 standard was completed too late in order to be implemented in Server 2008 R2. This gives an indication of the sometimes superior speed that open source programs offer. Many of the DNS appliances use BIND/NSD/Unbound and can therefore easily implement NSEC3 since these platforms have had that support for a long time.

But a solution might be on its way. I have, from an undisclosed sources, heard rumors that Microsoft will support RSA/SHA256 in an upcoming service pack/update/version and if so they will be able to support NSEC3 at the same time!

Workarounds for validation!

Microsoft has, from a simplified point of view, two server platforms, Windows Server 2008 and Small Business Server 2008. The DNS servers in both platforms uses default root hints and a DNS-forwarder towards a DNS of your choice via configuration and can therefore easily obtain validation via DNSSEC.

For example: Microsoft DNS — > validating DNS — -> Internet

The validating DNS can be an internal DNS or your ISP's DNS. You can easily test if a DNS validate DNSSEC by check the status at test.ipv6.tk. Remember that you have to change your computers DNS to the DNS you want to test.

Signing dynamic zones!

If Microsoft reworks and updates their DNSSEC implementation according to my ideas, it is also possible that they will not only support the signing of static offline zones. They should also support the signing of dynamic zones. That is for example handle zones generated on AD-data and dynamic addresses. This should be most welcomed but I also believe that the internal zones inside the domain needs to be secured towards the internal clients!

Future Internet

There are two things on the Internet today which I think are most important to the continued development of a secure, stable and scalable Internet; One is DNSSEC, where Microsoft today (unfortunately) simply can't match my expectations and need and competition from other products. The second is IPv6, where Microsoft on the other hand offers the, by far, best support for IPv6 in all available operating systems!

My thoughts can be summarized in one question: -Will Microsoft settle for only half of the solution?

By Torbjörn Eklöv, CTO, Senior Network Architect, DNSSEC/IPv6

Related topics: Cybersecurity, DNS, DNS Security


Don't miss a thing – get the Weekly Wrap delivered to your inbox.


To post comments, please login or create an account.

Related Blogs

Related News

Explore Topics

Dig Deeper

DNS Security

Sponsored by Afilias

Mobile Internet

Sponsored by Afilias Mobile & Web Services

IP Addressing

Sponsored by Avenue4 LLC


Sponsored by Verisign

Promoted Posts

Buying or Selling IPv4 Addresses?

Watch this video to discover how ACCELR/8, a transformative trading platform developed by industry veterans Marc Lindsey and Janine Goodman, enables organizations to buy or sell IPv4 blocks as small as /20s. more»

Industry Updates – Sponsored Posts

Verisign Named to the Online Trust Alliance's 2017 Audit and Honor Roll

Attacks Decrease by 23 Precent in 1st Quarter While Peak Attack Sizes Increase: DDoS Trends Report

Leading Internet Associations Strengthen Cooperation

Global Domain Name Registrations Reach 329.3 Million, 2.3 Million Growth in Last Quarter of 2016

Verisign Releases Q4 2016 DDoS Trends Report: 167% Increase in Average Peak Attack from 2015 to 2016

Neustar to be Acquired by Private Investment Group Led by Golden Gate Capital

Verisign Q3 2016 DDoS Trends Report: User Datagram Protocol (UDP) Flood Attacks Continue to Dominate

2016 U.S. Election: An Internet Forecast

Government Guidance for Email Authentication Has Arrived in USA and UK

ValiMail Raises $12M for Its Email Authentication Service

Don't Gamble With Your DNS

Defending Against Layer 7 DDoS Attacks

Understanding the Risks of the Dark Web

New TLD? Make Sure It's Secure

Verisign Releases Q2 2016 DDoS Trends Report - Layer 7 DDoS Attacks a Growing Trend

How Savvy DDoS Attackers Are Using DNSSEC Against Us

Radix Adds Dyn as a DNS Service Provider

Facilitating a Trusted Web Space for Financial Service Professionals

MarkMonitor Partners with CYREN to Deepen Visibility into Global Phishing Attacks

Verisign Named to the Online Trust Alliance's 2016 Honor Roll