Windows 2008 R2 validating DNSSEC resolvers

Spain, Dr. Jeffry A. spainj at countryday.net
Mon Feb 6 17:41:26 UTC 2012


> I know this is a bind list, but does anyone know any public information about when/if Microsoft is going to release a SHA2 compatible DNS server so it can be used as a validating DNSSEC resolver without forwarders? Since the root trust anchor is published in SHA2, currently it can't be used (unless someone knows a workaround).

We ran into the same roadblock and are using a bind9.8.1P1 server as a forwarder. Perhaps Windows Server 8 will offer something new a year from now. I haven't heard of anything for Windows Server 2008 R2, although SP2 is supposedly due for release in mid-2012. On the other hand forwarding to a bind system as the recursive resolver for Windows may ultimately be a more secure configuration. ISC has been pretty transparent and responsive with regard to DNS security issues and functionality updates. The fact that Microsoft *still* hasn't updated their DNS service to properly handle DNSSEC tells you something about their priorities, I think. The root zone was signed 18 months ago, after all.

I'm curious about your experience with the following in this context. We found that by default the Windows DNS service would forward queries to bind with the DO bit set in the OPT pseudo-resource record and the CD query flag set. In other words, Windows DNS was saying to bind "give me the DNSSEC info and I'll validate it." Of course without the root trust anchor in place, Windows could never do this. Bind would dutifully obey the request, however, so you never got the SERVFAIL response you would want with a DNSSEC validation failure. I opened a tech support case with Microsoft around this issue. It turns out that the command 'dnscmd /config /EnableEDnsProbes 0' fixes the problem by omitting the OPT pseudo-resource record and coincidentally clearing the CD query flag in all forwarded queries. See "Dnscmd" at http://technet.microsoft.com/en-us/library/cc772069(WS.10).aspx for further details. You can test for this on your systems as follows: 'dig @bind.odvr.dns-oarc.net badsign-a.test.dnssec-tools.org' with return a SERVFAIL response from this publicly accessible DNSSEC-validating recursive resolver. Now on one of your Windows systems: 'dig badsign-a.test.dnssec-tools.org' (or use nslookup if you haven't installed the ISC DNS utilities for Windows). This will work through your Windows DNS infrastructure, and if it returns the answer 75.119.216.33 instead of SERVFAIL, then you are subject to this problem.

Jeffry A. Spain
Network Administrator
Cincinnati Country Day School




More information about the bind-users mailing list