SlideShare ist ein Scribd-Unternehmen logo

DNSSEC in Windows DNS Server

Kumar Ashutosh
Kumar Ashutosh

Overview of DNSSEC in Windows DNS Server with a walk-through of Zone Signing Process

Internet
1 von 14
Downloaden Sie, um offline zu lesen
DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft @krash0x35
Overview AutomationManageabilityInteroperabilityDynamic
Zone Signing • Choose the Key Master • Signing keys • KSK configuration • ZSK configuration • NSEC • Trust anchors • Signing and polling • Summary
Zone Signing: Select Key Master • Single location for all key generation and management • Responsible for automated key rollover
Zone Signing: Configure KSK • Key signing keys (KSK) are used to sign other DNSKEY records
Zone Signing: Configure ZSK • Zone signing keys (ZSK) are used to sign other records
Zone Signing: Denial of Existence • NSEC • NSEC3
Zone Signing: Trust Anchors • A trust anchor (or trust “point”) is a public cryptographic key for a signed zone. • Delegation Signer (DS) • DNSKEY
Zone Signing: Signaling And Polling
Flexibility Chose your Keys Dynamic unsign/re-sign Change Properties DDNS with DNSSEC AD/Non-AD Primary Secondary DNSSEC with Traffic Management Chose your Key Store
Powershell Automation Sign with Default • Invoke-DnsServerZoneSign -ZoneName secure.contoso.com –SignWithDefault -Force Customize your parameters • PS C:> Reset-DnsServerZoneKeyMasterRole -ZoneName fabrikam.com -KeyMasterServer dc2.contoso.com -SeizeRole -Force • PS C:> Set-DnsServerDnsSecZoneSetting -ZoneName fabrikam.com -DenialOfExistence NSec • PS C:> Add-DnsServerSigningKey -ZoneName fabrikam.com -Type KeySigningKey - CryptoAlgorithm RsaSha1 -KeyLength 2048 • PS C:> Add-DnsServerSigningKey -ZoneName fabrikam.com -Type ZoneSigningKey - CryptoAlgorithm RsaSha1 -KeyLength 1024 • PS C:> Invoke-DnsServerZoneSign -ZoneName fabrikam.com -Force
Distribute Trust Anchors Export a Trust Point • Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com - Path Mysharekeys • Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com - Path Mysharekeys -DigestType sha1 Import a Trust Point • Import-DnsServerTrustAnchor -KeySetFile "File1DNSKeyskeyset-secure.contoso.com" • Add-DnsServerTrustAnchor -Root Add Root Trust Anchor
Verify DNSSEC: Demonstration Step Query-response Optional DNSSEC data 1 A DNS client sends a DNS query to a recursive DNS server. The DNS client can indicate that it is DNSSEC-aware (DO=1). 2 The recursive DNS server sends a DNS query to the root and top-level domain (TLD) DNS servers. The recursive DNS server can indicate that it is DNSSEC-aware (DO=1). 3 The root and TLD servers return a DNS response to the recursive DNS server providing the IP address of the authoritative DNS server for the zone. Authoritative servers for the parent zone can indicate that the child zone is signed using DNSSEC and include a secure delegation (DS record). 4 The recursive DNS server sends a DNS query to the authoritative DNS server for the zone. The recursive DNS server can indicate that it is DNSSEC-aware (DO=1) and capable of validating signed resource records (CD=1) to be sent in the response. 5 The authoritative DNS server returns a DNS response to the recursive DNS server, providing the resource record data. The authoritative DNS server can include DNSSEC signatures in the form of RRSIG records in the DNS response, for use in validation. 6 The recursive DNS server returns a DNS response to the DNS client, providing the resource record data. The recursive DNS server can indicate whether or not the DNS response was validated (AD=1) using DNSSEC.
Thank You For more details visit: https://technet.microsoft.com/en-us/library/dn593694(v=ws.11).aspx

Empfohlen

Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Slawomir Skowron
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Implementing Domain Name
Implementing Domain NameImplementing Domain Name
Implementing Domain NameNapoleon NV
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 

Empfohlen

Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Understanding DNSSEC in Windows DNS Server
Understanding DNSSEC in Windows DNS Server Kumar Ashutosh
 
Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Dnscluster @ DevOps Krakow 2013
Dnscluster @ DevOps Krakow 2013Slawomir Skowron
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Domain Name System (DNS)
Domain Name System (DNS)Domain Name System (DNS)
Domain Name System (DNS)Venkatesh Jambulingam
 
7 technical-dns-workshop-day3
7 technical-dns-workshop-day37 technical-dns-workshop-day3
7 technical-dns-workshop-day3DNS Entrepreneurship Center
 
Implementing Domain Name
Implementing Domain NameImplementing Domain Name
Implementing Domain NameNapoleon NV
 
8 technical-dns-workshop-day4
8 technical-dns-workshop-day48 technical-dns-workshop-day4
8 technical-dns-workshop-day4DNS Entrepreneurship Center
 
DNS Attacks
DNS AttacksDNS Attacks
DNS AttacksHimanshu Prabhakar
 
OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1DNS Entrepreneurship Center
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
Dns
DnsDns
DnsPatruni Chidananda Sastry
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1DNS Entrepreneurship Center
 
The History of DNS
The History of DNSThe History of DNS
The History of DNSMichael McLean
 
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationPaolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationGrzegorz Duda
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentBangladesh Network Operators Group
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2DNS Entrepreneurship Center
 
Dns
DnsDns
Dnsdeshvikas
 
Bind How To
Bind How ToBind How To
Bind How Tocntlinux
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS VulnerabilitiesMike Spaulding
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino AdminblastGabriella Davis
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 
DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 

Weitere ähnliche Inhalte

Was ist angesagt?

OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedAPNIC
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesSam Bowne
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureSam Bowne
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecuritySam Bowne
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsAsif Shahzad
 
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationPaolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationGrzegorz Duda
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Yen-Kuan Wu
 
Bind How To
Bind How ToBind How To
Bind How Tocntlinux
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 

Was ist angesagt? (20)

OARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching RevisitedOARC 31: NSEC Caching Revisited
OARC 31: NSEC Caching Revisited
 
2 technical-dns-workshop-day1
2 technical-dns-workshop-day12 technical-dns-workshop-day1
2 technical-dns-workshop-day1
 
CNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilitiesCNIT 40: 3: DNS vulnerabilities
CNIT 40: 3: DNS vulnerabilities
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
CNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and ArchitectureCNIT 40: 2: DNS Protocol and Architecture
CNIT 40: 2: DNS Protocol and Architecture
 
Dns
DnsDns
Dns
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS SecurityCNIT 40: 1: The Importance of DNS Security
CNIT 40: 1: The Importance of DNS Security
 
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting BasicsDomain Name System (DNS) - Domain Registration and Website Hosting Basics
Domain Name System (DNS) - Domain Registration and Website Hosting Basics
 
1 technical-dns-workshop-day1
1 technical-dns-workshop-day11 technical-dns-workshop-day1
1 technical-dns-workshop-day1
 
The History of DNS
The History of DNSThe History of DNS
The History of DNS
 
Paolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestrationPaolucci voxxed-days-berlin-2016-age-of-orchestration
Paolucci voxxed-days-berlin-2016-age-of-orchestration
 
Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)Build Dynamic DNS server from scratch in C (Part1)
Build Dynamic DNS server from scratch in C (Part1)
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
4 technical-dns-workshop-day2
4 technical-dns-workshop-day24 technical-dns-workshop-day2
4 technical-dns-workshop-day2
 
Dns
DnsDns
Dns
 
Bind How To
Bind How ToBind How To
Bind How To
 
DNS Vulnerabilities
DNS VulnerabilitiesDNS Vulnerabilities
DNS Vulnerabilities
 
Domino Adminblast
Domino AdminblastDomino Adminblast
Domino Adminblast
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 

Ähnlich wie DNSSEC in Windows DNS Server

DNS Security
DNS SecurityDNS Security
DNS Securityinbroker
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Knowlaurenrprice
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the InternetRIPE NCC
 
DNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxDNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxAisha Siddiqui
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSecAFRINIC
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]APNIC
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013Shumon Huque
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view APNIC
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns ConfigurationLohit Ahuja
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS PrivacyAPNIC
 
Zone in windows server 2012
Zone in windows server 2012Zone in windows server 2012
Zone in windows server 2012devil00dante
 
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07gameaxt
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practicekuchinskaya
 

Ähnlich wie DNSSEC in Windows DNS Server (20)

DNS Security
DNS SecurityDNS Security
DNS Security
 
DNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to KnowDNSSEC: What a Registrar Needs to Know
DNSSEC: What a Registrar Needs to Know
 
Hardening the Core of the Internet
Hardening the Core of the InternetHardening the Core of the Internet
Hardening the Core of the Internet
 
DNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptxDNSandDNSSecurity (1).pptx
DNSandDNSSecurity (1).pptx
 
Introduction DNSSec
Introduction DNSSecIntroduction DNSSec
Introduction DNSSec
 
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
What if everyone did it?, by Geoff Huston [APNIC 38 / APOPS 1]
 
DNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & AfiliasDNSSEC for Registrars by .ORG & Afilias
DNSSEC for Registrars by .ORG & Afilias
 
DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013DNSSEC Tutorial; USENIX LISA 2013
DNSSEC Tutorial; USENIX LISA 2013
 
23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view 23rd PITA AGM and Conference: DNS Security - A holistic view
23rd PITA AGM and Conference: DNS Security - A holistic view
 
Configuring Dns
Configuring DnsConfiguring Dns
Configuring Dns
 
Dns Configuration
Dns ConfigurationDns Configuration
Dns Configuration
 
vpn-radius-5.ppt
vpn-radius-5.pptvpn-radius-5.ppt
vpn-radius-5.ppt
 
IGF 2023: DNS Privacy
IGF 2023: DNS PrivacyIGF 2023: DNS Privacy
IGF 2023: DNS Privacy
 
Dns interview
Dns interviewDns interview
Dns interview
 
6421 b Module-03
6421 b Module-036421 b Module-03
6421 b Module-03
 
Zone in windows server 2012
Zone in windows server 2012Zone in windows server 2012
Zone in windows server 2012
 
Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time Re-Engineering the DNS – One Resolver at a Time
Re-Engineering the DNS – One Resolver at a Time
 
Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07Microsoft Offical Course 20410C_07
Microsoft Offical Course 20410C_07
 
Mens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practiceMens jan piet_dnssec-in-practice
Mens jan piet_dnssec-in-practice
 
Wintel
WintelWintel
Wintel
 

Kürzlich hochgeladen

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一z xss
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationMarko4394
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhimiss dipika
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Sonam Pathan
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 

Kürzlich hochgeladen (20)

Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Serviceyoung call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
young call girls in Uttam Nagar🔝 9953056974 🔝 Delhi escort Service
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
办理(UofR毕业证书)罗切斯特大学毕业证成绩单原版一比一
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
NSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentationNSX-T and Service Interfaces presentation
NSX-T and Service Interfaces presentation
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Contact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New DelhiContact Rya Baby for Call Girls New Delhi
Contact Rya Baby for Call Girls New Delhi
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
Call Girls In The Ocean Pearl Retreat Hotel New Delhi 9873777170
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 

DNSSEC in Windows DNS Server

  • 1. DNSSEC in Windows DNS Server Kumar Ashutosh, Microsoft @krash0x35
  • 3. Zone Signing • Choose the Key Master • Signing keys • KSK configuration • ZSK configuration • NSEC • Trust anchors • Signing and polling • Summary
  • 4. Zone Signing: Select Key Master • Single location for all key generation and management • Responsible for automated key rollover
  • 5. Zone Signing: Configure KSK • Key signing keys (KSK) are used to sign other DNSKEY records
  • 6. Zone Signing: Configure ZSK • Zone signing keys (ZSK) are used to sign other records
  • 8. Zone Signing: Trust Anchors • A trust anchor (or trust “point”) is a public cryptographic key for a signed zone. • Delegation Signer (DS) • DNSKEY
  • 11. Powershell Automation Sign with Default • Invoke-DnsServerZoneSign -ZoneName secure.contoso.com –SignWithDefault -Force Customize your parameters • PS C:> Reset-DnsServerZoneKeyMasterRole -ZoneName fabrikam.com -KeyMasterServer dc2.contoso.com -SeizeRole -Force • PS C:> Set-DnsServerDnsSecZoneSetting -ZoneName fabrikam.com -DenialOfExistence NSec • PS C:> Add-DnsServerSigningKey -ZoneName fabrikam.com -Type KeySigningKey - CryptoAlgorithm RsaSha1 -KeyLength 2048 • PS C:> Add-DnsServerSigningKey -ZoneName fabrikam.com -Type ZoneSigningKey - CryptoAlgorithm RsaSha1 -KeyLength 1024 • PS C:> Invoke-DnsServerZoneSign -ZoneName fabrikam.com -Force
  • 12. Distribute Trust Anchors Export a Trust Point • Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com - Path Mysharekeys • Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com - Path Mysharekeys -DigestType sha1 Import a Trust Point • Import-DnsServerTrustAnchor -KeySetFile "File1DNSKeyskeyset-secure.contoso.com" • Add-DnsServerTrustAnchor -Root Add Root Trust Anchor
  • 13. Verify DNSSEC: Demonstration Step Query-response Optional DNSSEC data 1 A DNS client sends a DNS query to a recursive DNS server. The DNS client can indicate that it is DNSSEC-aware (DO=1). 2 The recursive DNS server sends a DNS query to the root and top-level domain (TLD) DNS servers. The recursive DNS server can indicate that it is DNSSEC-aware (DO=1). 3 The root and TLD servers return a DNS response to the recursive DNS server providing the IP address of the authoritative DNS server for the zone. Authoritative servers for the parent zone can indicate that the child zone is signed using DNSSEC and include a secure delegation (DS record). 4 The recursive DNS server sends a DNS query to the authoritative DNS server for the zone. The recursive DNS server can indicate that it is DNSSEC-aware (DO=1) and capable of validating signed resource records (CD=1) to be sent in the response. 5 The authoritative DNS server returns a DNS response to the recursive DNS server, providing the resource record data. The authoritative DNS server can include DNSSEC signatures in the form of RRSIG records in the DNS response, for use in validation. 6 The recursive DNS server returns a DNS response to the DNS client, providing the resource record data. The recursive DNS server can indicate whether or not the DNS response was validated (AD=1) using DNSSEC.
  • 14. Thank You For more details visit: https://technet.microsoft.com/en-us/library/dn593694(v=ws.11).aspx