DNSSEC Continued . . . Windows 2008R2 as Primary

I’ll be honest, I’m not a big fan of the Windows DNS service.  There are cases where an organization might want to use the Windows DNS service as a primary for their Internet facing zones.  I wanted to see how DNSSEC was setup on Windows and if Bind 9 could slave off of it.  Turns out it works fine.  This is the second of two posts on DNSSEC, the first post can be viewed here and dealt with setting up a Bind 9 primary server with DNSSEC. Most of what I did here is documented in the Microsoft DNSSEC guide.  It’s really long and it took a lot of reading to figure out what really needed to be done. (tl;dr)  It’s a good idea to have this document handy if you are working on this.  Broken down, the process is roughly the same as Bind 9.
  • Build your zone files.
  • Create a KSK, and ZSK.
  • Sign the zone file.
  • Reconfigure DNS server to use the signed file.
  • Slave your other servers.
  • Send DS key to registrar
  • Test.
The Windows DNSSEC implementation has a few differences from Bind, first you can’t sign dynamic DNS zones (Bind can.)  Otherwise it works almost the same, as long as you are willing to hand-edit the zone files (they are pretty much the same format as Bind, so if you know that it is dead simple.)  I am not going to cover the maintenance of DNSSEC zones on Windows, basically the process is edit your source zone, increment the serial number, re-sign, and tell the service to reload the zone configuration.  Easy enough. Here’s the zone I’ll be working with …

First step is to create your Key Signing Key:

  Then the Zone Signing Key: Note that the KSK is 2k and the ZSK is only 1K. You can view the Keys in the Certificates (computer) plugin for MMC (Microsoft, and I, suggest backing these keys up somewhere.)  No validity dates were specified when creating the keys, and they default to Now through +5 years.

Now that the Keys have been created, and backed up, the zone is signed: To get the signed zone loaded the original zone is deleted (the original zone file is not deleted.): Then the new signed zone file is loaded: Reload the zone in DNS manager, and confirm it looks signed …

The signed records are only valid for one year, don’t forget to come back and resign occasionally. Slave setup is really easy, just click on Zone properties, and add the IP addresses to allow transfers from, don’t forget to setup notification too: Now, on the Bind server, setup your slave zone: Perform an rndc reload, and see if the DNSSEC records are on the slave:

Looks good! Now send the DS records to the registrar for the zone.  The records are in the C:\Windows\System32\dns\dsset-{zonename} file. Here are some cut and paste-able command lines that I used:
 DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Flags KSK /Length 2048 /Zone {ZONE.NAME} /SSCert /FriendlyName KSK-{ZONE.NAME}
 DnsCmd /OfflineSign /GenKey /Alg rsasha1 /Length 1024 /Zone {ZONE.NAME} /SSCert /FriendlyName ZSK-{ZONE.NAME}
 DnsCmd /OfflineSign /SignZone /input {ZONE.NAME}.dns /output {ZONE.NAME}.dns.signed /zone {ZONE.NAME} /signkey /cert /friendlyname ksk-{ZONE.NAME} /signkey /cert /friendlyname zsk-{ZONE.NAME}
 dnscmd /ZoneDelete {ZONE.NAME} /f
 dnscmd /ZoneAdd {ZONE.NAME} master /file {ZONE.NAME}.dns.signed /load