Windows dns & dnssec?

hi

I've been reading about the upcoming change to DNS and the deployment of DNSSEC. The worry is that some dodgy networking kit will drop the enlarged UDP packets, 'breaking the internet'.

I run a windows dns server, they are not recursive, they serve up a limited list of zones only, about 600 live zones.

Is there anything I need to do to prepare my windows dns server to use/support dns sec?
LVL 4
Borgs8472Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

g000seCommented:
Hi,

Here is a good link to shine more light on dnssec-  http://ds9a.nl/secure-dns.html
0
g000seCommented:
Check out this link too for more clarification- http://technet.microsoft.com/en-us/library/cc728328%28WS.10%29.aspx
0
Abhay PujariCommented:
I think no. But good thought need to check it out.
0
IT Pros Agree: AI and Machine Learning Key

We’d all like to think our company’s data is well protected, but when you ask IT professionals they admit the data probably is not as safe as it could be.

Abhay PujariCommented:
0
Chris DentPowerShell DeveloperCommented:

> Is there anything I need to do to prepare my windows dns server to use/support dns sec?

No. 2003 supports EDNS already and will be quite happy with the larger response messages (typically up to 4096 bytes). This issue is far more likely to hit (very old) network kit than it is existing DNS services, that's where the 512 byte limit may kick in.

Chris
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Borgs8472Author Commented:
Okay, I have all the assurance I need that nothing will break, that's good.

On the other hand I wouldn't mind putting some work into my dns servers to sign the zones for use with DNSsec. The problem is that all the guides on the internet are exclusively for BIND. I wouldn't mind, but I can't find definative answers that I can't do this on windows DNS, but no info in the slightest on how TO do it either. :/
0
Borgs8472Author Commented:
Found the definative answer to my question:
http://www.enterprisenetworkingplanet.com/netsecur/article.php/3522106
===
DNSSEC is only partially supported in Windows Server 2003 DNS, providing basic support as specified in RFC 2535. A Windows Server 2003 DNS server can only operate as a secondary to a BIND server that fully supports DNSSEC. The support is partial because DNS in Windows Server 2003 does not provide any means to sign or verify the digital signatures. In addition, the Windows Server 2003 DNS resolver does not validate any of the DNSSEC data that is returned as a result of queries.
===
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.