DNS Workshop

Tuesday Sep 11, 2012

DNSSEC signing a zone with Windows Server 2012

Windows 2012 Server was released on 4th of September 2012. Time to have a closer look at the DNSSEC signing capabilities (information about DNSSEC validation on Windows 2012 can be found in the article "DNSSEC validation in Microsoft DNS Server 2012").

For the DNSSEC zone signing walk-through a newly installed Windows 2012 "Standard" Server was used. Only the DNS role was installed in addition to the default components, no Active Directory. This article will cover the creation of a static DNS zone for the Internet. I do not cover the creation of an internal dynamic zones that is updated from clients or DHCP Server.

creating the zone

From the "DNS Manager", a new static zone is created.

Zone-Type is set to "Primary Zone" to create a primary master zone. The name of the zone is "windnssec.signed04.dnslab.org". The parent zone (signed04.dnslab.org) is hosted on a BIND 9.9.1-P2 server, and has a working DNSSEC chain-of-trust to the trust-anchor of the root-zone. An independent DNSSEC validating resolver (BIND 9 with configured root trust anchor) is used to validate the new zone.

The zone-file for this static zone will be in the default location "C:\Windows\System32\dns" and the name will be "windnssec.signed04.dnslab.org.dns".

Dynamic DNS updates are disabled, because this is for a static zone.

The zone is now complete, and works as a normal, non-DNSSEC secured zone.

Signing the zone

From the context menue on the zone name (right-click), I select "DNSSEC -> Sign the zone" to launch the DNSSEC zone signing wizard.

For this zone, we select to "Customize the zone signing parameters", not really because we want to make changes to the default, but to see all the default parameters and options that we can adjust in the wizard.

First are the KSK (Key Signing Keys). I keep the default values, except that I change the key size to a maximum of 4096 bits (default is 2048 bits). The default algorithm used is RSASHA256. The DNSKEY signatures are valid for 168 hours (7 days), the key rollover frequency is 755 days (2 years + 25 days). We could add more than one KSK to the zone, however, creating one KSK is usually enough, as the Windows 2012 DNS server will create an extra "emergency rollover" KSK automatically.

Next are the ZSK (Zone Signing Keys). I left the default values here. The rollover frequency is 90 day (3 month).

I use NSEC3 to the authenticated denial of existence, which is the default for Windows 2012.

The number of iterations is "50" (default), the salt is random, and the default size for the salt is 8 byte (or 256bit, the result is a 16 hex char salt). No "opt-out", as this zone will not have insecure delegations.

I enable the automatic update of trust anchors according to RFC 5011.

The delegation-signer (DS) records should be generated using both SHA-1 and SHA-256. Available hash algorithms for the DS record are SHA-1, SHA-256 and SHA-384.

Having completed all the DNSSEC signing parameters, the Windows 2012 DNS Server now starts creating the key material and signs the zone. This takes a few seconds.

Inspecting the signed zone

Once the zone is signed, the signed zone, as well as the ds-set and key-set files appear in the "C:\Windows\System32\dns\ folder".

I've created an extra "www" A-record in the zone. This new record got automatically signed on creation.

Once the DS-records and the delegation NS-records are added to the parent zone, the new zone hosted on the Windows 2012 DNS Server does validate:

 # dig  www.windnssec.signed04.dnslab.org a +dnssec +multi 

; <<>> DiG 9.9.1-P2 <<>> www.windnssec.signed04.dnslab.org a +dnssec +multi
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30532
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;www.windnssec.signed04.dnslab.org. IN A

;; ANSWER SECTION:
www.windnssec.signed04.dnslab.org. 3600 IN A 192.0.2.10
www.windnssec.signed04.dnslab.org. 3600 IN RRSIG A 8 5 3600 (
                                20120921134910 20120911124910 20011 windnssec.signed04.dnslab.org.
                                u24KXaMM+a4ysMlhNvAUVuiuXNrUVyHs6XvAAXOhQmAS
                                Jt6cbPhM09QkwRV2OWstVukqqVHugOOU70GmzGSpfsAi
                                3iOcQ4GLK7S6bH09lSuutfH1Ezxt2CPEW3pqeyaBbZLZ
                                kP53NQ7o/nMuZQmEBv/NqRvBvPuHhpjsx4RV+tc= )

;; Query time: 867 msec
;; SERVER: 192.168.53.251#53(192.168.53.251)
;; WHEN: Tue Sep 11 14:08:00 2012
;; MSG SIZE  rcvd: 267

Below is the full zone, as created by the Windows 2012 DNS Server:

;
;  Database file windnssec.signed04.dnslab.org.dns for windnssec.signed04.dnslab.org zone.
;      Zone version:  5
;

@                       IN  SOA win2012ga.home.strotmann.de. hostmaster.home.strotmann.de. (
                        		5            ; serial number
                        		900          ; refresh
                        		600          ; retry
                        		86400        ; expire
                        		3600       ) ; default TTL

;
;  Zone NS records
;

@                       NS	win2012ga.home.strotmann.de.

;
;  Zone records
;

@                       RRSIG	NS 8 4 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		MtnYnQCIMDLbCcbnbrDFDLjHKRIq4cCh5VWd
                        		sqQoDDf8tcYnQB3MlmkpI9S2M2xX/ztR434x
                        		1W1K7FTeu+rcBIE0EpMNHyCzVNjQdQA+AudL
                        		7Rk+xS8M+RvmMRoI1gv5ghkocMHfHDHHIu3W
                        		XgZGxPRSpF8B1nuesvvuFqX+l1k=
                        		)
@                       RRSIG	SOA 8 4 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		NU14HQT1Ne6+eL0CIcSxEADuRvuhfahlD6lb
                        		n6kmXaMo0HNXuDpTKL78VN+XjAoPMt0DkC5A
                        		t6ZDwq/iXL/Cz0HHnqVZMBWk5TM7Vtc+WIWt
                        		ofS4cdAUdaSpVvLlNObANxYYZmeKL3qTblni
                        		00tL3J4IZRTrPmeFiMrVd/djdvo=
                        		)
@                       RRSIG	DNSKEY 8 4 3600 20120918134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		mTI3j5FYloUSk+tpVI6vJqoqra0YWLJ4O0ha
                        		zlBW3mgBSr9P5bAPp2buKtwZBIv6+2peHGyW
                        		DBFS0QjLIaHmQuDS5LL14M2ebUWYrbqCo4It
                        		NAQB/ArX+JdujYtUKqcagsjM0NRq+RW59dq1
                        		Rys3AHZzqSaDA4AmXFMBybg6awc=
                        		)
@                       RRSIG	DNSKEY 8 4 3600 20120918134910 (
                        		20120911124910 8257 windnssec.signed04.dnslab.org.
                        		Vd1Z6Xjy01g6Ym4Qx/VD5RGbIoUGHQ9mC0Rh
                        		DdktnyHklNKWVXJ+zHP/NnsEwvYzCnr1NetC
                        		6Sfu8y+VtRf9t+tXBMJWXNHNjti4HNzNEKvx
                        		gPwBJXkfm/27xHBgtG80RduTcVTa5iK5bS0Q
                        		C9FXQQHJVTgLt+d7Pky5QjkPl3bVhoefWBDw
                        		Y4TPGALC1MnR7sjheqnCuZW//cb4k1RldmNY
                        		4vWUKEJDn4kBnQjfD15N9rM202W0AyyV71IA
                        		6Rv4GsgHHeDDHgfyAycYku/7QP3CqG7fDlZO
                        		V+MWsgUfHoiAlJwGCXvzKvqhNTQY3rPmx89o
                        		SyKRHdXvldCWkkfNzXCFTBvkO/pcioXcNBmX
                        		xqn4SBuZengdbJ4lHdveXnlOrr1ZG32+zm3K
                        		ppbD5LBy4DQnKHpD4AthnW2vq3P22uHBdotA
                        		zIrRvp6hJZP0QHysHwyJ4PF/4E3pO3OgeXcQ
                        		jU7Q4dgtF2vU3owYgk2BwRyH92abqzTeKjuc
                        		PMtADjVtiugrhmRQJ9Ex5tAt8o/0ssa7oAeG
                        		LNUiRoVlXN+OXUeJkL8V9EezOngmqlrUQVV7
                        		Q5v4l/E+Tbe4l9UneDIsUQ6Kht+MlDeLfwAq
                        		YRRBYW/cE+MWZngFFLK4XWVmcQ+X3hYlVUjO
                        		Oj748CSEiJ9SKp8iwwSDqhRa3TsjwPSKXpA=
                        		)
@                       RRSIG	NSEC3PARAM 8 4 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		pMXl43pA/GVXvx85lE9umxnSHmYRjDV2dvii
                        		S2H/A2BXikvkG5S2Ou1i/+1ky1vkavabUaoQ
                        		PqVbBhNhotqrtwdU2LWhIepCUCAEeFpRgu21
                        		sD/bgMw6367GFIQhqDO2CvCkVH/yTFOe63Ez
                        		9G/BNzKocO0LiqlLo0fV6+ipLIE=
                        		)
@                       DNSKEY	256 3 8 (
                        		AwEAAcMfL/1WuSs6zzEQbqTjOTC9DsDlR2tX
                        		rNPEA3cJFTxUpyU7K/5ykr4Y+hjJ2Z7JHVwD
                        		5edp50SKAywNgFyIAcKH8wHhF07Xfl77RYFg
                        		oEE1x33Q0BatRSk46pw1ZJOAsk10V6gxaf/1
                        		51gNvjdjX1S7MmGK/8i5TpHLoAc59iHv
                        		) ; key tag = 20011
@                       DNSKEY	256 3 8 (
                        		AwEAAbF31wsrhR4EKPkQs1V5zgXqoYz/z2sI
                        		wLCKx1CXmT3xtFhh0xMd+Y+xIn82n8AdY9K/
                        		M0v116WLExzvYSdl/aTuIjiQ5rYB/JLIaLCL
                        		HLYBaShWPsEzpFhawTvI3NuyTB5dolednL5T
                        		fEjs2QZgwly/SF7Na9lIf7x5GJojhXzj
                        		) ; key tag = 55764
@                       DNSKEY	257 3 8 (
                        		AwEAAa8e3bf1svqyWOZDVU8bJ2QYtIBmF8r6
                        		YQq72phpyVgDGpcyrtITXC0dwpa5XQi+CPTh
                        		5vO89W//8cSIacUiLtaIhb0ipTHobUmDwAnw
                        		8mFANY6milnaAkG6Gz5oBxzolybWo4HDcEFM
                        		QZLpynP7ZfJHeVB0VU5Qzbja069OHY4w8CfZ
                        		zA5OLJt1tHEj+xnGzfazPS5nUDKOoT17Bizc
                        		l1gTQFb7TnwJFgwuOuy7OxiGAvaRqIdfPm5C
                        		7i8Dxko11K/0isaTjhvHsdgh0EgTgCGWcRbn
                        		s/gXw3U5956hkSxtT2g4Yskii1OEwwy7ODnJ
                        		dHJM9cDm5IvLS+8ZA5hCl8+E33vOyld+qBEo
                        		P8ySzzQF2kGGs77iVSv4ZpgDwOrYqS8Yr2/6
                        		A5z4jHzLIWBkUq9pXgBh44hAPIWgsJ8MAWTP
                        		FhQHBRnBg3VA/K91fQjSV27ZQpcEv6105eXQ
                        		dJEfRGKkC+8cr+oHtfMdY/kHYQ8nnId5AFou
                        		oTS+2s7h8sYdNPB4eoDWFA1Vl7VBRQVwlRmg
                        		uj+7Y8y2Kjh/SDBImBo/afEiLa+1ffdG6Ag3
                        		g8e/FTfw+uK1cXRD237ldEKY+ay8N8BXre15
                        		QrSiA39M8pWTIwtKq1Ant+b6F/8BCiQF/FhZ
                        		zvRnTetjQK6pan9JPVb4k089PjwP7j+ik22Z
                        		KmRn
                        		) ; key tag = 8257
@                       DNSKEY	257 3 8 (
                        		AwEAAb/rrPNxWAAeHjWRX0Pl10Po3ZQ7FWO+
                        		+rVagU+iThBqRHXWkE56hFVkG4NH6OufH7+c
                        		KZbDvv35D7QgwkEGaGFkLTeJxgWioeKB9ezT
                        		MRMfYmP1UoMIzBE/vuhaegKEMpvleHvupYTD
                        		uLURYYC316GlqxZh+6GW1Vlai9rYHhPiKnaN
                        		96/3IWa0mmr1Lhj4jU645AOGBgWwsNR8/hrM
                        		LIoTcBTakC+zXG/Fzt8sAMe6EH3Cp2IKOrd7
                        		Hw8bHxxP3jzY+5kKKo23u7aL4ljAeeNhC3a9
                        		x2vhiah2NkVWdZrM9HueLAeRy8i++JRIfTFe
                        		vcmRQoVXfAOPFirkHpsuvMUlBYgdSfcMowln
                        		tNr7C2MUCehDBzxmZg/tfQLV2BLKj8qIU35F
                        		e8siumA/Jvv0qXSOfqnhKUwkPL1UsTRovV/G
                        		Yh6HkF7COKxG3rLHK3elJAysN2efKtSyXBaw
                        		lkm19WAre22srihqQGFOH9dg8nT/iptWnhl4
                        		lXppXXutmkdK0jdq4Sbmd321Bxpyk2wPdsjF
                        		OJYjTjf38iqC0GXopYoDXGa4qoJch3yDGGM4
                        		NtpR+hY90sT0xbWeok1vyfNBI9vXUp0x8coh
                        		yR6DpVszYvrct9To15ofdA5s1gr81PYUuIOl
                        		6vpJrqY9U1Lo5FvE5ktmELwgOo/aN2BNn8Ye
                        		vXCX
                        		) ; key tag = 64486
@                       NSEC3PARAM	1 0 50 7A59BC4B8A536621
p5v0al7iu1nhknb885o88bmd2on6v650 RRSIG	NSEC3 8 5 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		Ik6uRXyvUKhukQ1O6kVhIokOxIkJRt6vIN/U
                        		2/fIom1qHvDaLZegzeOR/9ZjBypnGoHXBAdv
                        		cutwmQPC765uNDTJW4C1WnGPQccV6KaSICiq
                        		o+jlOeu9SNlxaMsFul3GQ/C2BV6cyMt2V/nN
                        		iMCVLL5TxvhpHISNE+bdmw5otN8=
                        		)
                        NSEC3	1 0 50 7A59BC4B8A536621 vpsasnt3eaq49l9cuq3lqrdgsbijkf65 A RRSIG
vpsasnt3eaq49l9cuq3lqrdgsbijkf65 RRSIG	NSEC3 8 5 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		KTacQes3fi3V35WbYblvdwBAZmnoZHDu+jZP
                        		js0DXZoRnG0ttvf5mPIqF8WhsgKRty4gDyln
                        		bEoHCWal9Y/lAYLP0PNv6hc0g/uzu3oB5VuD
                        		Dz+MusfmWmr7iBWc+8AGTc/HsEonflZbmIoE
                        		XSFhLpCrf5X8dPewtZB9cl80TIg=
                        		)
                        NSEC3	1 0 50 7A59BC4B8A536621 p5v0al7iu1nhknb885o88bmd2on6v650 NS SOA RRSIG DNSKEY NSEC3PARAM
www                     A	192.0.2.10
                        RRSIG	A 8 5 3600 20120921134910 (
                        		20120911124910 20011 windnssec.signed04.dnslab.org.
                        		u24KXaMM+a4ysMlhNvAUVuiuXNrUVyHs6XvA
                        		AXOhQmASJt6cbPhM09QkwRV2OWstVukqqVHu
                        		gOOU70GmzGSpfsAi3iOcQ4GLK7S6bH09lSuu
                        		tfH1Ezxt2CPEW3pqeyaBbZLZkP53NQ7o/nMu
                        		ZQmEBv/NqRvBvPuHhpjsx4RV+tc=
                        		)

We see four DNSKEY records in the zone, 2 KSK and 2 ZSK. One ZSK and one KSK are "active" (used to create signatures), while one KSK is the "stand-by" key for an emergency rollover. I'm not sure of the role of the extra ZSK.

Keys in the "windnssec.signed04.dnslab.org" zone:

TypeIDstatus
KSK08257(active)
KSK64486(standby)
ZSK20011(active)
ZSK55764??

Unfortunately, the key IDs are not shown in the Windows 2012 DNS Server manager GUI (it would be quite useful to see the key ids for each zone to help troubleshooting DNSSEC issues).

DS set file

Below is the ds-set file created by the Windows 2012 DNS server. The file can be found it C:\Windows\System32\dns:

Comments:

Post a Comment:
  • HTML Syntax: Allowed

Calendar

Feeds

Search

Links

Navigation