How to configure DNSSEC with Windows 2003

Discussion in 'DNS Server' started by desquestions, Mar 11, 2010.

  1. desquestions

    desquestions Guest

    Hello
    Have you ever use DNNSEC with Windows 2003. Needs information about it.
    also tools to try DNSSEC.

    Thansks
     
    desquestions, Mar 11, 2010
    #1
    1. Advertisements


  2. I haven't had a requirement to use DNSSEC in any version of Windows, however, I do know with Windows 2003 there's limited support. The following are my notes on it, which are rather limited. However, I hope you find them helpful.

    ==================================================================
    DNSSEC and TrustedAnchors

    Trustedanchors and DNSSEC (DNS security) is a new
    industry implementation that is now offered in Windows 2008 R2. It's a new
    feature that when you implement it, it associates a certificate (or key) to
    a zone in DNS. The feature is optional during DNS installation, which
    will then allow DNS security, which then you have to setup a trustedanchor.

    There is limited DNSSEC support in Windows Server 2003 DNS. Windows 2003 can act
    as a secondary DNS server for an existing DNSSEC-compliant zone. Windows
    clients will cache DNSSEC resource records, but perform no cryptography,
    authentication, or verification. Perhaps to get full functionality in Windows 2003,
    you can implementing DNSSEC running BIND on Windows. For full Windows native
    functionality, you would have to upgrade to Windows 2008 to get full DNSSEC support.
    See the following link for more information.

    Using DNS Security Extensions (DNSSEC) Windows 2003
    http://technet.microsoft.com/en-us/library/cc728328(WS.10).aspx


    ======
    Related Links:

    Distribute Trust Anchors
    http://technet.microsoft.com/en-us/library/ee649280(WS.10).aspx

    DNS Security Extensions (DNSSEC)
    http://technet.microsoft.com/en-us/library/ee683904(WS.10).aspx

    Configure DNSSEC. Applies To: Windows Server 2003, Windows Server 2003 R2, ...
    http://technet.microsoft.com/en-us/library/cc784518(WS.10).aspx

    Modify DNSSEC configuration: (DNS). Applies To: Windows Server 2003, Windows Server 2003 R2, ...
    http://technet.microsoft.com/en-us/library/cc779943(WS.10).aspx

    TrustAnchor zone created when using Windows 7 to configure the DNS zones with RSAT in Windows server 2003 domains without any Windows

    Server 2008.
    Scroll down to the comments in:
    http://blogs.technet.com/sseshad/archive/2008/10/30/dnssec-in-windows-7.aspx

    DNSSEC Presentations (DNSSEC - DNS Security Extensions)NLnet Labs for CENTR, Sep 2003. Changes to DNS in Windows Server 2003

    (Powerpoint) ... Paul Wouters, Aug 2003. DNSSEC and Zone Enumeration (Powerpoint) ...
    www.dnssec.net/presentations

    ======
    Errors with DNSSEC:

    Error: "The request subject name is invalid or too long. 0x80094001"

    Request for Certificate Is Denied and a "The Request Subject Name ...The
    request subject name is invalid or too long. 0x80094001. In addition, the
    following message may be logged in the event log: ...
    http://support.microsoft.com/kb/312344

    Windows Server 2003 Does Not Use the DNS Name as Certificate SubjectIn
    Windows 2000, the Domain Name System (DNS) name of a computer is embedded as
    the ... (0x80094001) The request subject name is invalid or too long. ....
    http://support.microsoft.com/kb/275528
    ==================================================================

    --
    Ace

    This posting is provided "AS-IS" with no warranties or guarantees and confers no rights.

    Please reply back to the newsgroup or forum for collaboration benefit among responding engineers, and to help others benefit from your resolution.

    Ace Fekay, MVP, MCT, MCITP EA, MCTS Windows 2008 & Exchange 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services

    If you feel this is an urgent issue and require immediate assistance, please contact Microsoft PSS directly. Please check http://support.microsoft.com for regional support phone numbers.
     
    Ace Fekay [MVP-DS, MCT], Mar 12, 2010
    #2
    1. Advertisements

  3. desquestions

    desquestions Guest

    Ace Fekay [MVP-DS, MCT] a écrit :
    Thanks a lot
     
    desquestions, Mar 14, 2010
    #3

  4. You are welcome!

    Ace
     
    Ace Fekay [MVP-DS, MCT], Mar 15, 2010
    #4
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.