[ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo

Kumar Ashutosh Kumar.Ashutosh at microsoft.com
Mon Jun 26 10:11:39 UTC 2017


Hi Rick
Your observations are as expected as there is no change in DNSSEC rollovers from 2012R2 to 2016 server

Thanks
Ashu

-----Original Message-----
From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org] On Behalf Of Richard Lamb
Sent: Monday, June 26, 2017 6:04 AM
To: ksk-rollover at icann.org
Cc: DNSSEC Coordination (dnssec-coord at elists.isoc.org) <dnssec-coord at elists.isoc.org>
Subject: [ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo

Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnssek.info%2Ffauxroot.html&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=QPXVpvjO3p6uMwYlgMuzDM01VrmeHpn1S7hSN6nGWQk%3D&reserved=0  (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011.

RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv.

I know this should not be new info but just call me cautious.

The steps I took are at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnssek.info%2Fw2k16howto.html&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=qOiaTQUAB%2F5izfNtgoVoXmfsFtyY1YLLrWeNikA1HkM%3D&reserved=0 if you want to replicate.

Hope it helps.
-Rick

_______________________________________________
ksk-rollover mailing list
ksk-rollover at icann.org
https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fksk-rollover&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=ZY8sf6xMzPPUFze%2B7CSzOy5ZwN3FXUYb5cX29eD3PQo%3D&reserved=0


More information about the ksk-rollover mailing list