[dns-operations] DNSSEC support in Microsoft Windows products

Loomis, Gilbert R. GILBERT.R.LOOMIS at saic.com
Thu Sep 4 16:30:24 UTC 2008

For clarity, and definitely not speaking for Microsoft,
but only based on the publically available info that
I have--here's the statement of "best estimate" status
that I put together for an interested customer:

Microsoft had previously indicated that DNSSEC
per RFC 4035 would be present in "SP1 for Longhorn
but WS2008 was labeled as SP1 upon release to
match up with Vista SP1 which RTM'd at the same
time.  Based on current TechNet docs, WS2008 SP1
does not appear to support DNSSEC validation
other than the minimal support for serving RFC2535
records (but doing no actual validation or signing)
that was present in WS2003.

That implies that SP2 for WS08, expected out sometime
in 2009, will be required for DNSSEC support--and
even then, RFC4035 will only be supported on servers
that have been updated to WS08 and *perhaps* on Vista
clients.  Many, if not most, organizations with
existing DNS Servers running Microsoft are still
using Windows Server 2003.  And for US Federal
Government users, all these transitions must be
managed and completed by December 2009.

Note that even RFC4035 support may not suffice for
some DNS operators, if NSEC3/Opt-Out turn out to
be (believed as) necessary due to zone size or
constraints on data publishing.


Rip Loomis, CISSP, PMP
Chief Systems Security Engineer
SAIC Cyber Security Solutions

> -----Original Message-----
> From: dns-operations-bounces at lists.oarci.net 
> [mailto:dns-operations-bounces at lists.oarci.net] On Behalf Of 
> Jeremy C. Reed
> Sent: Tuesday, 19 August, 2008 15:25
> To: Jon Kibler
> Cc: dns-operations at lists.oarci.net
> Subject: Re: [dns-operations] DNSSEC support in Microsoft 
> Windows products
> > M$ claims to have supported a limited implementation of DNSSEC since
> > late 2004. However, you must edit the registry to enable it.
> >    http://technet.microsoft.com/en-us/library/cc779943.aspx
> I looked at that and followed the links from there. It is obsolete.
> See RFC 4034 which says:
>    This document obsoletes RFC 2535 and incorporates changes from all
>    updates to RFC 2535.
> ...
>       [RFC3755] also marked type 30 (NXT) as Obsolete and 
> restricted use
>       of types 24 (SIG) and 25 (KEY) to the "SIG(0)" transaction
>       security protocol described in [RFC2931] and to the transaction
>       KEY Resource Record described in [RFC2930].
> (Searching at above website can't find RRSIG or NSEC or DNSKEY.)
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.oarci.net
> http://lists.oarci.net/mailman/listinfo/dns-operations

More information about the dns-operations mailing list