Windows dns & dnssec?


I've been reading about the upcoming change to DNS and the deployment of DNSSEC. The worry is that some dodgy networking kit will drop the enlarged UDP packets, 'breaking the internet'.

I run a windows dns server, they are not recursive, they serve up a limited list of zones only, about 600 live zones.

Is there anything I need to do to prepare my windows dns server to use/support dns sec?
Who is Participating?
Chris DentConnect With a Mentor PowerShell DeveloperCommented:

> Is there anything I need to do to prepare my windows dns server to use/support dns sec?

No. 2003 supports EDNS already and will be quite happy with the larger response messages (typically up to 4096 bytes). This issue is far more likely to hit (very old) network kit than it is existing DNS services, that's where the 512 byte limit may kick in.

g000seConnect With a Mentor Commented:

Here is a good link to shine more light on dnssec-
g000seConnect With a Mentor Commented:
Check out this link too for more clarification-
Improved Protection from Phishing Attacks

WatchGuard DNSWatch reduces malware infections by detecting and blocking malicious DNS requests, improving your ability to protect employees from phishing attacks. Learn more about our newest service included in Total Security Suite today!

Abhay PujariConnect With a Mentor Commented:
I think no. But good thought need to check it out.
Borgs8472Author Commented:
Okay, I have all the assurance I need that nothing will break, that's good.

On the other hand I wouldn't mind putting some work into my dns servers to sign the zones for use with DNSsec. The problem is that all the guides on the internet are exclusively for BIND. I wouldn't mind, but I can't find definative answers that I can't do this on windows DNS, but no info in the slightest on how TO do it either. :/
Borgs8472Author Commented:
Found the definative answer to my question:
DNSSEC is only partially supported in Windows Server 2003 DNS, providing basic support as specified in RFC 2535. A Windows Server 2003 DNS server can only operate as a secondary to a BIND server that fully supports DNSSEC. The support is partial because DNS in Windows Server 2003 does not provide any means to sign or verify the digital signatures. In addition, the Windows Server 2003 DNS resolver does not validate any of the DNSSEC data that is returned as a result of queries.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.