I’ll be honest, I’m not a big fan of the Windows DNS service. There are cases where an organization might want to use the Windows DNS service as a primary for their Internet facing zones. I wanted to see how DNSSEC was setup on Windows and if Bind 9 could slave off of it. Turns out it works fine. This is the second of two posts on DNSSEC, the first post can be viewed here and dealt with setting up a Bind 9 primary server with DNSSEC.
Most of what I did here is documented in the Microsoft DNSSEC guide. It’s really long and it took a lot of reading to figure out what really needed to be done. (tl;dr) It’s a good idea to have this document handy if you are working on this. Broken down, the process is roughly the same as Bind 9.
- Build your zone files.
- Create a KSK, and ZSK.
- Sign the zone file.
- Reconfigure DNS server to use the signed file.
- Slave your other servers.
- Send DS key to registrar
- Test.
The Windows DNSSEC implementation has a few differences from Bind, first you can’t sign dynamic DNS zones (Bind can.) Otherwise it works almost the same, as long as you are willing to hand-edit the zone files (they are pretty much the same format as Bind, so if you know that it is dead simple.) I am not going to cover the maintenance of DNSSEC zones on Windows, basically the process is edit your source zone, increment the serial number, re-sign, and tell the service to reload the zone configuration. Easy enough.
Here’s the zone I’ll be working with . . .
First step is to create your Key Signing Key: Continue reading »
