Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo
Thank you Ashu Kumar for helping me!
June 22 2017
Combined with the approaching rollover of the DNSSEC root key (introduction of new key 11 July 2017 and switchover 11 October 2017) and recently being pleasantly surprised by the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover
https://icksk.dnssek.info/fauxroot.html (See here for Win Server 2012 R2). The platform follows the actual root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011.
Result: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recored in C:\windows\system32\dns\rfc5011.csv.
Although I know there are many much more expert than me in Windows DNS use and managment, for referrence I have documented the steps I took below.
-
Install a fresh copy of Windows Server 2016 Essentials from DVD or ISO. (I did this on KVM)
-
Do all Windows Updates. You do NOT WannaCry!! You can check Windows Update operation with "Server Manager". You may need to fix update error 0x80070422 by enabling Windows Update under "Windows Administrative Tools" --> "Services" --> "Windows Update".
-
Out of the box the DNS server was working as a resolver but not DNSSEC validating. Before going forward, test this by doing some "dig"s against the server IP address.
Take a look at the DNS server configuration by going to "Windows Administrative Tools" --> "DNS". Click on the name of your server below "DNS" and a bunch of containers should show up in the right column. One should be "Trust Points".
if you do not see a "Trust Points" container, do:
dnscmd /config /enablednssec 1
from an Administrator command prompt ("Windows System"--> right click "Command Prompt" --> "More" --> "Run as Administrator").
-
Set up accelerated RFC5011 mode for the DNS server by opening a command prompt and running "regedit" and going to
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
then Edit --> New --> DWORD and creating
TestMode_AccelerateRFC5011Timing and setting the value to 1
This brings down the RFC5011 default add hold down time to 1 minute and minimum active refresh interval to 16 seconds.
Next create
TestMode_AccelerateKeyRolloverTiming and set value to 1
This accelerates the SKD rollover period and rollover offset by a factor of 10080, such that 1 week becomes 1 minute.
Close "redegit"
-
Set up DNS to use the accelerated root servers by double clicking in right panel "Root Hints" --> "Remove" all of them. Then --> "Add"
a.moot-servers.net
IP Address
192.101.186.81
Then "OK", "OK" out.
You may also wish to clear out entries in the "Forwarders" container.
-
Next create Trust Anchors file by running Notepad and visiting https://icksk.dnssek.info/fauxroot.html and cutting and pasting the lines after "Set initial unbound.root.key to:" into notepad. Then edit the lines by adding "( )" around the key to satisfy the format the server want to see. e.g.
.
12 IN DNSKEY 257 3 8 (
AwEAAb5sMme6tFHFVkM4QQ0HbfVAVVWBc9A28elLHhwbVd/LCKdHqUJK HgXIwi3mPNIBDfu1xakLcnt4aD2dIAj2IWDSez8n1e4GO7c18tYcpxc2 U2KlJl7PFzwQYXhXRCFU7QqPnJpqudLLILlYOPMw4SiQCbQExp7aSUum JwST98ycVHC2zOAcozl7dUsmPxK5KECsyCelATsqSCUtVFehkJysxPD4 DMyLFVj1f+dxUdJwcuWg95ZULIwNnBmOLV7hBCPei+95Ln/uTI0n+5UM W91s60w5kuTJqLbJQbT0tzyw2WnN5LkP0qzbFuGwcBpjnkZU7wAXBaoA Jkq3qLseTIE=
)
.
12 IN DNSKEY 257 3 8 (
AwEAAeUfSEWxpECcZjJOmpaBS4B0nmcSwS8FoHBNVL466L8gVLeoRk/y /g/JZNPxt2IQ55nQomvJY/Cs0ORal+A6mbKupzvonIGNboHXJX/2icTt eRSoLIelwz4mXeJwDQS/IsXQsDn8R9yvNokUq7rW4uD1usnrgWe32R2m /jvUnGrdNDAP4qGQLYxbDllvp06US5+mm4Rj4/Ncd5sMi5C27HhnG1i0 nhuoMm5kX9GTawtuZHA0Oa9jki9XJfi/EUB3tUvljJ8B8p+n/QYdExW+ BPkat7Lg7axXA0iULxbL6k7q39l9TvJNWAod1o3Xor/rgeeEw7rbzuz3 4uLxZKf/M1U=
)
Save the file to something like ThisPC > Documents > key123.txt
Note: You must do all this quickly since the accelerated key roll is happening every 27 minutes. So this may take a few tries.
-
Now go to the DNS configuration window and click on Trust Points --> Import --> DNSKEY and browse to the file you just created with notepad. Clicking "OK" should accept the new root KSKs. If the format is incorrect, Windows will pop-up an error.
-
I found that typically, the DNS server will just pick-up the new keys and after a short cache wait, "dig +dnssec ..." will start returning the AD bit. However you may need to right click on machine name under "DNS" --> "Clear Cache" or --> "All Tasks" --> "Restart"
-
Thats it. Windows Server 2016 DNS should now be DNSSEC validating and tracking root KSK rollovers every 27 minutes. This process can also be seen in the C:\windows\system32\dns\RFC5011.CSV file which will list all the current and past keys. You can delete this file between tests to clear out stale/duplicate keys.
Also by seeing rfc5011.csv in the directory you can be assured that the DNS server was able to write to this directory - a necessity for successful rollover.
-
Hope this helps - Rick Lamb