I’m excited that I finally get to talk about what the DNS team has been working on for over a year. That’s right – DNSSEC. It’s in Windows, and it’s on its way.
DNSSEC is a suite of security extensions to the DNS which provide origin authority, data intergity and authenticated denial of existance. Putting that in plain English, DNSSEC allows for a DNS zone to be cryptographically signed (which produces digital signatures), and provides a mechanism for validating the authenticity of the data received using these digital signatures. Validating resolvers and servers must be pre-configured with a Trust Anchor, using which a “chain of trust” will be established to the signed zone. Data from this signed zone can then be validated.
The new and improved DNSSEC RFCs were published in 2005, and since then DNSSEC has seen a steady growth in attention. However this year, things took a much more dramatic turn mainly because of the vulnerabilities that were revealed at BlackHat by researcher Dan Kaminsky. More and more people are showing interest in DNSSEC as a good solution to lock down their DNS infrastructures.
Well, the timing is just perfect. Windows Server 2008 R2 DNS server will offer support for DNSSEC as per these new RFCs. The DNS server is now capable of generating keys and signing DNS zones using a sign-tool that we are providing with the product. The server will also be able to host these signed zones either as a primary or secondary zone, or as an Active Directory-integrated zone. Once configured with a Trust Anchor, the server will be able to perform full validation of data obtained from other signed zones.
On the DNS client, we have implemented a non-validating security-aware stub resolver. Doesn’t roll off the tongue very easily, does it [:)]? Breaking it down, all this means is that the DNS client relies on its local DNS server to perform DNSSEC validation and will check to make sure that the server has indeed done so.
Pre-Beta builds of Windows are already available to those who attened the Professional Developers’s Conference in LA that ended today. I would strongly encourage those of you who do have Windows 7 to test out DNSSEC and tell us what you think about it.
Over the next few days, I will blog more about what is and isn’t in the product, so stay tuned!