Skip Links

Network World

Julie Bort

Windows Server 2008 R2 supports DNS Security Extensions

Microsoft offers 85-page guide on how to implement DNSSEC in Windows

By Microsoft Subnet on Mon, 11/02/09 - 6:57pm.
Newsletter Signup

As promised, the latest version of Windows Server 2008 R2 is the first Windows Server to fully support DNSSEC. DNSSEC is a security protocol that helps to verify that a Web address hasn't been hacked and redirected to a pretender. Better still, Windows 7 also supports DNSSEC, which Microsoft claims is a first among client operating systems.

DNSSEC had been bandied about the IETF for years but came into the public eye in July, 2008, when security researcher Dan Kaminsky disclosed a serious flaw in the DNS that makes it possible for hackers to launch DNS cache poisoning attacks.

In response to that flaw, for the first time, vendors such as Microsoft, Sun and Cisco banded together together to close the flaw. But even a year after that historic patch security experts said that DNS still needed to be more secure. DNSSEC applies the old public/private key cryptography trick to solve the DNS problem. Obviously, issues abound with rolling out such a fix, among them a lack of servers and clients that supported DNSSEC. But progress is being made. ICANN is expected to start rolling out changes in January 2010 to the root zone that will let DNSSEC be applied, even in developing areas of the world, such as the countries of Africa, source of so much Nigerian spam, reports Computerworld.

The previous version of Windows Server 2008 did artistically support this security protocol, but WS2008 R2 is the first Microsoft server operating system to be fully compliant the current standards (The IETF's RFC 4033, RFC 4034, and RFC 4035).

With DNSSEC support, network administrators can use a Windows Server machine to generate keys and to validate that file being requested by servers over the Web are being sent by a trusted source. Similarly, the Windows 7 client includes what it needs to validate that it is communicating with a server using DNSSEC and that said server has completed a validation process. A TechNet article from May that lists all of the security features in Windows 7 puts it this way:

"Windows Server 2008 R2 and Windows 7 introduce support for DNSSEC as per the current standards (RFC 4033, RFC 4034, and RFC 4035). Windows Server 2008 R2 will allow the DNS Server to provide origin authority and data integrity artifacts. Basically, a server will be able to attach digital signatures to DNS data in responses as well as validate data received from other DNS servers.

"Windows 7 is the first client operating system to include the necessary pieces to allow the client to verify that it is communicating securely with a DNS server and verify that the server has performed DNSSEC validation on its behalf. This technology is currently being tested to ensure the maximum compatibility with current Internet infrastructure and aims to play a continuing role in securing DNS data in the future."

If all this sounds complicated that's because it is. To that end last week Microsoft released a Windows Server 2008 R2 deployment guide. This 85 page how-to guide is offers a nice overview of the entire process of setting up DNSSEC on Windows Server. The plot of this novella of a guide may not be gripping, but better Web security does promise a happy ending.

Like this post? Check out these others.

Plus, visit the Microsoft Subnet web site for more news, blogs, podcasts. Subscribe to all Microsoft Subnet bloggers. Sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert.)
Follow All Microsoft Subnet bloggers on Twitter
Follow Julie Bort on Twitter

 

Post new comment

The content of this field is kept private and will not be shown publicly.
  • You can use BBCode tags in the text.
  • Lines and paragraphs break automatically.
  • Allowed HTML tags: <p> <strong> <i> <br /> <br> <ul> <ol> <li> <dl> <dt> <dd> <blockquote>

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.
Welcome, visitor. Register Log in
About Microsoft Subnet Blog

The Microsoft Subnet blog is the official blog of the Network World's Microsoft Subnet community, and is written by Online Community editor Julie Bort. Microsoft Subnet is the independent voice of Microsoft customers and is your gateway to daily Microsoft news, blogs, opinion, books, prize giveaways and more. Visit the Microsoft Subnet index page daily, and while you are there, subscribe to the Microsoft newsletter. The newsletter includes news generated by the Microsoft Subnet community as well as other Microsoft news stories published by Network World.

(OS community)
RSS feed (Microsoft RSS feed)

Blog Roll
Microsoft Subnet Home Page
http://www.networkworld.com/subnets/microsoft/
All Microsoft Subnet bloggers
http://www.networkworld.com/community/blogs/microsoft/feed
ActiveWin
http://www.activewin.com
Blake Handler The Road to Know Where
http://bhandler.spaces.live.com/
Dmitry's PowerBlog
http://dmitrysotnikov.wordpress.com/
Doug Brown,DABCC
http://www.dabcc.com
Ed Bott's Windows Expertise
http://www.edbott.com/weblog/
Joseph Tartakoff Microsoft Blog
http://blog.seattlepi.nwsource.com/microsoft/
Long Zheng istartedsomething
http://www.istartedsomething.com/
Mini-Microsoft
http://minimsft.blogspot.com/
Paul Thurrott's Supersite for Windows
http://www.winsupersite.com
Robert McLaws WindowsNow
http://www.windows-now.com
Scobleizer
http://scobleizer.com/
Techmeme
http://www.techmeme.com/
Todd Bishop's Microsoft Blog
http://www.techflash.com/Microsoft