[ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo

Richard Lamb richard.lamb at icann.org
Mon Jun 26 17:50:34 UTC 2017

Thank you for the original help on this Ashu (and patience with me). Over the past year I have been getting more interest in classes in dnssec and your server.


Sent from my iPhone

> On Jun 26, 2017, at 3:12 AM, Kumar Ashutosh <Kumar.Ashutosh at microsoft.com> wrote:
> Hi Rick
> Your observations are as expected as there is no change in DNSSEC rollovers from 2012R2 to 2016 server
> Thanks
> Ashu
> -----Original Message-----
> From: ksk-rollover-bounces at icann.org [mailto:ksk-rollover-bounces at icann.org] On Behalf Of Richard Lamb
> Sent: Monday, June 26, 2017 6:04 AM
> To: ksk-rollover at icann.org
> Cc: DNSSEC Coordination (dnssec-coord at elists.isoc.org) <dnssec-coord at elists.isoc.org>
> Subject: [ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo
> Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnssek.info%2Ffauxroot.html&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=QPXVpvjO3p6uMwYlgMuzDM01VrmeHpn1S7hSN6nGWQk%3D&reserved=0  (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011.
> RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv.
> I know this should not be new info but just call me cautious.
> The steps I took are at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnssek.info%2Fw2k16howto.html&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=qOiaTQUAB%2F5izfNtgoVoXmfsFtyY1YLLrWeNikA1HkM%3D&reserved=0 if you want to replicate.
> Hope it helps.
> -Rick
> _______________________________________________
> ksk-rollover mailing list
> ksk-rollover at icann.org
> https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.org%2Fmailman%2Flistinfo%2Fksk-rollover&data=02%7C01%7CKumar.Ashutosh%40microsoft.com%7C82ad04b54910433ef0a308d4bc2b152c%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C636340340604909745&sdata=ZY8sf6xMzPPUFze%2B7CSzOy5ZwN3FXUYb5cX29eD3PQo%3D&reserved=0

More information about the ksk-rollover mailing list