DNSSEC signing a zone with Windows Server 2012
Windows 2012 Server was released on 4th of September 2012. Time to have a closer look at the DNSSEC signing capabilities (information about DNSSEC validation on Windows 2012 can be found in the article "DNSSEC validation in Microsoft DNS Server 2012").
For the DNSSEC zone signing walk-through a newly installed Windows 2012 "Standard" Server was used. Only the DNS role was installed in addition to the default components, no Active Directory. This article will cover the creation of a static DNS zone for the Internet. I do not cover the creation of an internal dynamic zones that is updated from clients or DHCP Server.
creating the zone
From the "DNS Manager", a new static zone is created.
Zone-Type is set to "Primary Zone" to create a primary master zone. The name of the zone is "windnssec.signed04.dnslab.org". The parent zone (signed04.dnslab.org) is hosted on a BIND 9.9.1-P2 server, and has a working DNSSEC chain-of-trust to the trust-anchor of the root-zone. An independent DNSSEC validating resolver (BIND 9 with configured root trust anchor) is used to validate the new zone.
./static/Windows2012-DNSSEC_files/7518b223-f5a0-42c3-868e-25748dca26ed.png
./static/Windows2012-DNSSEC_files/b77cb264-7532-4478-8cce-4f60e8c223f5.png
The zone-file for this static zone will be in the default location
"C:\Windows\System32\dns"
and the name will be
"windnssec.signed04.dnslab.org.dns"
.
Dynamic DNS updates are disabled, because this is for a static zone.
The zone is now complete, and works as a normal, non-DNSSEC secured zone.
Signing the zone
From the context menue on the zone name (right-click), I select "DNSSEC -> Sign the zone" to launch the DNSSEC zone signing wizard.
For this zone, we select to "Customize the zone signing parameters", not really because we want to make changes to the default, but to see all the default parameters and options that we can adjust in the wizard.
First are the KSK (Key Signing Keys). I keep the default values, except that I change the key size to a maximum of 4096 bits (default is 2048 bits). The default algorithm used is RSASHA256. The DNSKEY signatures are valid for 168 hours (7 days), the key rollover frequency is 755 days (2 years + 25 days). We could add more than one KSK to the zone, however, creating one KSK is usually enough, as the Windows 2012 DNS server will create an extra "emergency rollover" KSK automatically.
Next are the ZSK (Zone Signing Keys). I left the default values here. The rollover frequency is 90 day (3 month).
I use NSEC3 to the authenticated denial of existence, which is the default for Windows 2012.
The number of iterations is "50" (default), the salt is random, and the default size for the salt is 8 byte (or 256bit, the result is a 16 hex char salt). No "opt-out", as this zone will not have insecure delegations.
I enable the automatic update of trust anchors according to RFC 5011.
The delegation-signer (DS) records should be generated using both SHA-1 and SHA-256. Available hash algorithms for the DS record are SHA-1, SHA-256 and SHA-384.
Having completed all the DNSSEC signing parameters, the Windows 2012 DNS Server now starts creating the key material and signs the zone. This takes a few seconds.
Inspecting the signed zone
Once the zone is signed, the signed zone, as well as the ds-set and
key-set files appear in the "C:\Windows\System32\dns\ folder"
.
I've created an extra "www" A-record in the zone. This new record got automatically signed on creation.
Once the DS-records and the delegation NS-records are added to the parent zone, the new zone hosted on the Windows 2012 DNS Server does validate:
# dig www.windnssec.signed04.dnslab.org a +dnssec +multi ; <<>> DiG 9.9.1-P2 <<>> www.windnssec.signed04.dnslab.org a +dnssec +multi ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30532 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;www.windnssec.signed04.dnslab.org. IN A ;; ANSWER SECTION: www.windnssec.signed04.dnslab.org. 3600 IN A 192.0.2.10 www.windnssec.signed04.dnslab.org. 3600 IN RRSIG A 8 5 3600 ( 20120921134910 20120911124910 20011 windnssec.signed04.dnslab.org. u24KXaMM+a4ysMlhNvAUVuiuXNrUVyHs6XvAAXOhQmAS Jt6cbPhM09QkwRV2OWstVukqqVHugOOU70GmzGSpfsAi 3iOcQ4GLK7S6bH09lSuutfH1Ezxt2CPEW3pqeyaBbZLZ kP53NQ7o/nMuZQmEBv/NqRvBvPuHhpjsx4RV+tc= ) ;; Query time: 867 msec ;; SERVER: 192.168.53.251#53(192.168.53.251) ;; WHEN: Tue Sep 11 14:08:00 2012 ;; MSG SIZE rcvd: 267
Below is the full zone, as created by the Windows 2012 DNS Server:
; ; Database file windnssec.signed04.dnslab.org.dns for windnssec.signed04.dnslab.org zone. ; Zone version: 5 ; @ IN SOA win2012ga.home.strotmann.de. hostmaster.home.strotmann.de. ( 5 ; serial number 900 ; refresh 600 ; retry 86400 ; expire 3600 ) ; default TTL ; ; Zone NS records ; @ NS win2012ga.home.strotmann.de. ; ; Zone records ; @ RRSIG NS 8 4 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. MtnYnQCIMDLbCcbnbrDFDLjHKRIq4cCh5VWd sqQoDDf8tcYnQB3MlmkpI9S2M2xX/ztR434x 1W1K7FTeu+rcBIE0EpMNHyCzVNjQdQA+AudL 7Rk+xS8M+RvmMRoI1gv5ghkocMHfHDHHIu3W XgZGxPRSpF8B1nuesvvuFqX+l1k= ) @ RRSIG SOA 8 4 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. NU14HQT1Ne6+eL0CIcSxEADuRvuhfahlD6lb n6kmXaMo0HNXuDpTKL78VN+XjAoPMt0DkC5A t6ZDwq/iXL/Cz0HHnqVZMBWk5TM7Vtc+WIWt ofS4cdAUdaSpVvLlNObANxYYZmeKL3qTblni 00tL3J4IZRTrPmeFiMrVd/djdvo= ) @ RRSIG DNSKEY 8 4 3600 20120918134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. mTI3j5FYloUSk+tpVI6vJqoqra0YWLJ4O0ha zlBW3mgBSr9P5bAPp2buKtwZBIv6+2peHGyW DBFS0QjLIaHmQuDS5LL14M2ebUWYrbqCo4It NAQB/ArX+JdujYtUKqcagsjM0NRq+RW59dq1 Rys3AHZzqSaDA4AmXFMBybg6awc= ) @ RRSIG DNSKEY 8 4 3600 20120918134910 ( 20120911124910 8257 windnssec.signed04.dnslab.org. Vd1Z6Xjy01g6Ym4Qx/VD5RGbIoUGHQ9mC0Rh DdktnyHklNKWVXJ+zHP/NnsEwvYzCnr1NetC 6Sfu8y+VtRf9t+tXBMJWXNHNjti4HNzNEKvx gPwBJXkfm/27xHBgtG80RduTcVTa5iK5bS0Q C9FXQQHJVTgLt+d7Pky5QjkPl3bVhoefWBDw Y4TPGALC1MnR7sjheqnCuZW//cb4k1RldmNY 4vWUKEJDn4kBnQjfD15N9rM202W0AyyV71IA 6Rv4GsgHHeDDHgfyAycYku/7QP3CqG7fDlZO V+MWsgUfHoiAlJwGCXvzKvqhNTQY3rPmx89o SyKRHdXvldCWkkfNzXCFTBvkO/pcioXcNBmX xqn4SBuZengdbJ4lHdveXnlOrr1ZG32+zm3K ppbD5LBy4DQnKHpD4AthnW2vq3P22uHBdotA zIrRvp6hJZP0QHysHwyJ4PF/4E3pO3OgeXcQ jU7Q4dgtF2vU3owYgk2BwRyH92abqzTeKjuc PMtADjVtiugrhmRQJ9Ex5tAt8o/0ssa7oAeG LNUiRoVlXN+OXUeJkL8V9EezOngmqlrUQVV7 Q5v4l/E+Tbe4l9UneDIsUQ6Kht+MlDeLfwAq YRRBYW/cE+MWZngFFLK4XWVmcQ+X3hYlVUjO Oj748CSEiJ9SKp8iwwSDqhRa3TsjwPSKXpA= ) @ RRSIG NSEC3PARAM 8 4 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. pMXl43pA/GVXvx85lE9umxnSHmYRjDV2dvii S2H/A2BXikvkG5S2Ou1i/+1ky1vkavabUaoQ PqVbBhNhotqrtwdU2LWhIepCUCAEeFpRgu21 sD/bgMw6367GFIQhqDO2CvCkVH/yTFOe63Ez 9G/BNzKocO0LiqlLo0fV6+ipLIE= ) @ DNSKEY 256 3 8 ( AwEAAcMfL/1WuSs6zzEQbqTjOTC9DsDlR2tX rNPEA3cJFTxUpyU7K/5ykr4Y+hjJ2Z7JHVwD 5edp50SKAywNgFyIAcKH8wHhF07Xfl77RYFg oEE1x33Q0BatRSk46pw1ZJOAsk10V6gxaf/1 51gNvjdjX1S7MmGK/8i5TpHLoAc59iHv ) ; key tag = 20011 @ DNSKEY 256 3 8 ( AwEAAbF31wsrhR4EKPkQs1V5zgXqoYz/z2sI wLCKx1CXmT3xtFhh0xMd+Y+xIn82n8AdY9K/ M0v116WLExzvYSdl/aTuIjiQ5rYB/JLIaLCL HLYBaShWPsEzpFhawTvI3NuyTB5dolednL5T fEjs2QZgwly/SF7Na9lIf7x5GJojhXzj ) ; key tag = 55764 @ DNSKEY 257 3 8 ( AwEAAa8e3bf1svqyWOZDVU8bJ2QYtIBmF8r6 YQq72phpyVgDGpcyrtITXC0dwpa5XQi+CPTh 5vO89W//8cSIacUiLtaIhb0ipTHobUmDwAnw 8mFANY6milnaAkG6Gz5oBxzolybWo4HDcEFM QZLpynP7ZfJHeVB0VU5Qzbja069OHY4w8CfZ zA5OLJt1tHEj+xnGzfazPS5nUDKOoT17Bizc l1gTQFb7TnwJFgwuOuy7OxiGAvaRqIdfPm5C 7i8Dxko11K/0isaTjhvHsdgh0EgTgCGWcRbn s/gXw3U5956hkSxtT2g4Yskii1OEwwy7ODnJ dHJM9cDm5IvLS+8ZA5hCl8+E33vOyld+qBEo P8ySzzQF2kGGs77iVSv4ZpgDwOrYqS8Yr2/6 A5z4jHzLIWBkUq9pXgBh44hAPIWgsJ8MAWTP FhQHBRnBg3VA/K91fQjSV27ZQpcEv6105eXQ dJEfRGKkC+8cr+oHtfMdY/kHYQ8nnId5AFou oTS+2s7h8sYdNPB4eoDWFA1Vl7VBRQVwlRmg uj+7Y8y2Kjh/SDBImBo/afEiLa+1ffdG6Ag3 g8e/FTfw+uK1cXRD237ldEKY+ay8N8BXre15 QrSiA39M8pWTIwtKq1Ant+b6F/8BCiQF/FhZ zvRnTetjQK6pan9JPVb4k089PjwP7j+ik22Z KmRn ) ; key tag = 8257 @ DNSKEY 257 3 8 ( AwEAAb/rrPNxWAAeHjWRX0Pl10Po3ZQ7FWO+ +rVagU+iThBqRHXWkE56hFVkG4NH6OufH7+c KZbDvv35D7QgwkEGaGFkLTeJxgWioeKB9ezT MRMfYmP1UoMIzBE/vuhaegKEMpvleHvupYTD uLURYYC316GlqxZh+6GW1Vlai9rYHhPiKnaN 96/3IWa0mmr1Lhj4jU645AOGBgWwsNR8/hrM LIoTcBTakC+zXG/Fzt8sAMe6EH3Cp2IKOrd7 Hw8bHxxP3jzY+5kKKo23u7aL4ljAeeNhC3a9 x2vhiah2NkVWdZrM9HueLAeRy8i++JRIfTFe vcmRQoVXfAOPFirkHpsuvMUlBYgdSfcMowln tNr7C2MUCehDBzxmZg/tfQLV2BLKj8qIU35F e8siumA/Jvv0qXSOfqnhKUwkPL1UsTRovV/G Yh6HkF7COKxG3rLHK3elJAysN2efKtSyXBaw lkm19WAre22srihqQGFOH9dg8nT/iptWnhl4 lXppXXutmkdK0jdq4Sbmd321Bxpyk2wPdsjF OJYjTjf38iqC0GXopYoDXGa4qoJch3yDGGM4 NtpR+hY90sT0xbWeok1vyfNBI9vXUp0x8coh yR6DpVszYvrct9To15ofdA5s1gr81PYUuIOl 6vpJrqY9U1Lo5FvE5ktmELwgOo/aN2BNn8Ye vXCX ) ; key tag = 64486 @ NSEC3PARAM 1 0 50 7A59BC4B8A536621 p5v0al7iu1nhknb885o88bmd2on6v650 RRSIG NSEC3 8 5 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. Ik6uRXyvUKhukQ1O6kVhIokOxIkJRt6vIN/U 2/fIom1qHvDaLZegzeOR/9ZjBypnGoHXBAdv cutwmQPC765uNDTJW4C1WnGPQccV6KaSICiq o+jlOeu9SNlxaMsFul3GQ/C2BV6cyMt2V/nN iMCVLL5TxvhpHISNE+bdmw5otN8= ) NSEC3 1 0 50 7A59BC4B8A536621 vpsasnt3eaq49l9cuq3lqrdgsbijkf65 A RRSIG vpsasnt3eaq49l9cuq3lqrdgsbijkf65 RRSIG NSEC3 8 5 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. KTacQes3fi3V35WbYblvdwBAZmnoZHDu+jZP js0DXZoRnG0ttvf5mPIqF8WhsgKRty4gDyln bEoHCWal9Y/lAYLP0PNv6hc0g/uzu3oB5VuD Dz+MusfmWmr7iBWc+8AGTc/HsEonflZbmIoE XSFhLpCrf5X8dPewtZB9cl80TIg= ) NSEC3 1 0 50 7A59BC4B8A536621 p5v0al7iu1nhknb885o88bmd2on6v650 NS SOA RRSIG DNSKEY NSEC3PARAM www A 192.0.2.10 RRSIG A 8 5 3600 20120921134910 ( 20120911124910 20011 windnssec.signed04.dnslab.org. u24KXaMM+a4ysMlhNvAUVuiuXNrUVyHs6XvA AXOhQmASJt6cbPhM09QkwRV2OWstVukqqVHu gOOU70GmzGSpfsAi3iOcQ4GLK7S6bH09lSuu tfH1Ezxt2CPEW3pqeyaBbZLZkP53NQ7o/nMu ZQmEBv/NqRvBvPuHhpjsx4RV+tc= )
We see four DNSKEY records in the zone, 2 KSK and 2 ZSK. One ZSK and one KSK are "active" (used to create signatures), while one KSK is the "stand-by" key for an emergency rollover. I'm not sure of the role of the extra ZSK.
Keys in the "windnssec.signed04.dnslab.org" zone:
Type | ID | status |
KSK | 08257 | (active) |
KSK | 64486 | (standby) |
ZSK | 20011 | (active) |
ZSK | 55764 | ?? |
Unfortunately, the key IDs are not shown in the Windows 2012 DNS Server manager GUI (it would be quite useful to see the key ids for each zone to help troubleshooting DNSSEC issues).
DS set file
Below is the ds-set file created by the Windows 2012 DNS server. The file can be found it C:\Windows\System32\dns: