[ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo

Richard Lamb richard.lamb at icann.org
Mon Jun 26 00:34:00 UTC 2017

Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://icksk.dnssek.info/fauxroot.html  (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011.

RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv.

I know this should not be new info but just call me cautious.

The steps I took are at https://icksk.dnssek.info/w2k16howto.html if you want to replicate.

Hope it helps.

More information about the ksk-rollover mailing list