4

After reading about DNSSEC realization in Windows Server 2008 R2 it seems to me that it adds extra complexity without being fully secure anyway (I do understand that more security is always means more complexity in most of the cases).

1st DNS client is not aware about DNSSEC and ask the same server which resolved the record to check validity of this record and do it only in case of NRPT table presence (you need to configure this additionally - no table no check; and this is still the case in WS 2012/Win 8). Apart from looking somehow clumsy architecture-wise, the thing is that client doesn't have any options to validate DNS server (to be 100% secure in this respect you need IPSec deployed in Windows network which adds even more complexity).

So taking all this into account does deploying DNSSEC worthwhile in real world? Does it really improves security or just adds unnecessary complexity?

Does anybody really use this technology in enterprise Windows networks?

Michael Hampton
  • 237,123
  • 42
  • 477
  • 940
Mikhail
  • 1,287
  • 3
  • 18
  • 35

1 Answers1

5

One way to look at it is that it doesn't matter whether it's "worth it" or not. It's straight-up mandatory in certain environments that must comply with certain audit policies such as FISMA and FedRAMP. (Read NIST Special Publication 800-53 SC-20 and SC-21.)

If you're not under those type of requirements, then only you can decide if it's worth it to you or not. It is true that DNSSEC and IPsec introduce complexity. It is true that using DNSSEC with internal/private zones without also coupling it with IPsec is of limited value. When speaking in terms of internal/private DNS zones, DNSSEC is only really useful if the client can trust that he or she is talking to the true, correct DNS server. And to validate that authentication generally also requires IPsec.

Also, consider not using DNSSEC on Windows Server on anything less than Server 2012. DNSSEC on Server 2008 R2 is capable of using only SHA-1, not SHA-2. And since the internet root zone (that is, .) is signed with RSA/SHA-256, that means Server 2008 R2 will be useless as a validator of internet zones. Server 2012 and above addresses this problem.

Whether that complexity is too much for you or your company to handle or whether the added benefit is worth it... is too subjective and we can't answer for you.

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197