This article summarizes the impact of enabling DNSSEC on root zone DNS Servers to Windows Clients and Servers.
|OS Version and Role||Impact|
Windows 2000 Professional
Windows 2000 Server
Windows Server 2003
Windows Server 2003 R2
Windows Server 2008
|No configuration change is required. |
DNSSEC is a DNS Server technology. Windows DNS Clients are not impacted by DNSSEC.
DNSSEC is only enabled by DNS Servers that request DNSSEC. These Microsoft DNS Server versions are not DNSSEC aware and should not be impacted by the enabling of DNSSEC on DNS Root Zones.
|Windows 7 and Windows Server 2008 R2 with DNSSEC disabled|
No configuration change is required.
DNSSEC is a DNS Server technology. Windows DNS Clients are not impacted by DNSSEC
DNSSEC is only enabled by DNS Servers that request DNSSEC. DNSSEC is not enabled Windows Server 2008 R2 DNS Servers by default. Such DNS Servers should not be impacted by the enabling of DNSSEC on DNS Root Zones.
Windows Server 2008 R2 DNS Servers with DNSSEC enabled
No additional configuration change are required by the enabling of DNSSEC on root zone DNS Servers.
DNSSEC-enabled Windows Server 2008 R2 DNS Servers have been tested and verified by Microsoft to interoperate with DNSSEC enabled root zone servers on the internet.
If you wish to deploy DNSSEC, see the Microsoft DNSSEC Deployment Guide for requirements to deploy DNSSEC including large UDP packet support needed by UDP-formatted ENDS frames used by DNSSEC.
Such articles and the deployment of DNSSEC itself have led Microsoft customers to inquire whether the DNSSEC transition on Root Zones would affect the ability of Windows clients and servers, including those hosting the Microsoft DNS Server role, to experience name resolution issues.
Impact on Microsoft Windows Clients
Windows DNS clients do not require additional configuration as a result of DNSSEC being enabled on root zone DNS Servers.
Impact on Microsoft DNS Servers
Per http://www.root-dnssec.org/2010/05/05/status-update/DNSSEC was originally enabled on 2010.01.27 and has been systematically enabled on additional root zone servers during the months of February, March and April 2010. At the point when twelve of the thirteen root servers had been transitioned to the DURZ, no harmful effected had been identified. Had the enabling of DNSSEC on root zone DNS Servers caused a problem, it would have been observed long before the enabling of DNSSEC on the last of 13 root zones on May 5th, 2010. As of 2010.05.07, no verifiable problems have been identified the enabling of DNSSEC on root zones.
More importantly, such claims fail to consider that DNSSEC is only enabled by callers (DNS Servers) that request DNSSEC. Enabling DNSSEC on a target server, such as those hosting root zones, does not change anything in the DNS response to callers that do not request DNSSEC. This change paves the way for more EDNS use in the future, specifically for DNSSEC. Servers and clients who send DNS requests to the root servers do not have to make any changes.
Pre-Windows Server 2008 R2 DNS Servers are incapable of requesting DNSSEC functionality and require no configuration change to interoperate with DNSSEC-enabled DNS Servers hosting the Root or any other DNSSEC enabled DNS zone.
Windows Server 2008 R2 DNS Servers are DNSSEC capable but the feature is turned off by default. Such DNS Servers require no additional configuration change to interoperate with DNSSEC enabled servers and should experience no failures due to the enabling of DNSSEC on root zone servers.
Windows Server2008 R2 DNS Servers configured to use DNSSEC have been tested by Microsoft development and test teams and found to be fully interoperable with DNSSEC-enabled Root Zone servers. Administrators should be aware that the enabling of DNSSEC on Microsoft and 3rd party products implicitly enables the use of EDNS, a DNS extension that may generate large (greater than 512 byte) UDP-formatted frames to communicate data over the network.
There are known issues with network infrastructure devices such as routers and firewalls dropping, fragmenting or changing the arrival order of greater than 512 byte UDP formatted network packets generated by Kerberos or EDNS. Each case can cause DNS queries to fail. Ensure that your network infrastructure is capable of passing large UDP formatted network packets.
Per RFC 4035, UDP packet sizes up to 1220 bytes MUST be supported and packets up to 4000 bytes SHOULD be supported. Windows Server 2008 R2 uses a default packet size of 4000 bytes by default.
OARC's DNS Reply Size Test Server documents the use of a reply size test using DIG. This functionality can be replicated using the NSLOOKUP syntax:
Information about DNSSEC for the Root Zone
DNSSSEC unlikely to break Internet on May 5 (author: Bill Detwiler, TechRepublic)
Warning: Why your Internet might fail on May 5th(author: Brett Winterford, ITNews for Australian Business)
Will DNSSEC kill your internet?(author: Kevin Murphy, The Registry)
OARC's DNS Reply Size Test Server
The story of the Mysteriously Malfunctioning Mail Router (Aka EDNS and Exchange escapades)
Microsoft DNSSEC Deployment Guide
ID articolo: 2028240 - Ultima revisione: 04 giu 2010 - Revisione: 1