totojepast

Is the Windows XP DNS resolver able to check the validity of the DNS
data using DNSSEC? Is this feature turned on by default?

And does the Windows Server support DNSSEC for publishing the public
DNS records?

Steve Riley [MSFT]

No, DNSSEC isn't supported in any version of Windows.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"totojepast" <totojepast@razdva.cz> wrote in message
news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
> Is the Windows XP DNS resolver able to check the validity of the DNS
> data using DNSSEC? Is this feature turned on by default?
>
> And does the Windows Server support DNSSEC for publishing the public
> DNS records?

Steve Riley [MSFT]

Clarification. There is _limited_ support: Windows Server 2003 DNS can act
as a secondary DNS server for an existing DNSSEC-compliant zone. Windows
clients will cache DNSSEC resource records, but perform no cryptography,
authentication, or verification.

More information here:
http://technet.microsoft.com/en-us/l.../cc728328.aspx

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
> No, DNSSEC isn't supported in any version of Windows.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "totojepast" <totojepast@razdva.cz> wrote in message
> news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
>> Is the Windows XP DNS resolver able to check the validity of the DNS
>> data using DNSSEC? Is this feature turned on by default?
>>
>> And does the Windows Server support DNSSEC for publishing the public
>> DNS records?
>

Dan

Will DNSSEC be fully supported in future versions of Windows, Steve? In
addition, will any current versions of Windows be updated to fully support it
via cryptography, authentication and/or verification, Steve including but not
limited to Windows Server 2003?

"Steve Riley [MSFT]" wrote:

> Clarification. There is _limited_ support: Windows Server 2003 DNS can act
> as a secondary DNS server for an existing DNSSEC-compliant zone. Windows
> clients will cache DNSSEC resource records, but perform no cryptography,
> authentication, or verification.
>
> More information here:
> http://technet.microsoft.com/en-us/l.../cc728328.aspx
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
> > No, DNSSEC isn't supported in any version of Windows.
> >
> > --
> > Steve Riley
> > steve.riley@microsoft.com
> > http://blogs.technet.com/steriley
> > http://www.protectyourwindowsnetwork.com
> >
> >
> >
> > "totojepast" <totojepast@razdva.cz> wrote in message
> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
> >> Is the Windows XP DNS resolver able to check the validity of the DNS
> >> data using DNSSEC? Is this feature turned on by default?
> >>
> >> And does the Windows Server support DNSSEC for publishing the public
> >> DNS records?
> >

Dan

How about the problems on web sites with errors about missing scripts and
lost objects and other stuff?

"Steve Riley [MSFT]" wrote:

> What problem can you solve with DNSSEC that is not already solved with IPsec
> or SSL?
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:7571D3C3-6A37-47E9-A937-CD6B198B400B@microsoft.com...
> > Will DNSSEC be fully supported in future versions of Windows, Steve? In
> > addition, will any current versions of Windows be updated to fully support
> > it
> > via cryptography, authentication and/or verification, Steve including but
> > not
> > limited to Windows Server 2003?
> >
> > "Steve Riley [MSFT]" wrote:
> >
> >> Clarification. There is _limited_ support: Windows Server 2003 DNS can
> >> act
> >> as a secondary DNS server for an existing DNSSEC-compliant zone. Windows
> >> clients will cache DNSSEC resource records, but perform no cryptography,
> >> authentication, or verification.
> >>
> >> More information here:
> >> http://technet.microsoft.com/en-us/l.../cc728328.aspx
> >>
> >> --
> >> Steve Riley
> >> steve.riley@microsoft.com
> >> http://blogs.technet.com/steriley
> >> http://www.protectyourwindowsnetwork.com
> >>
> >>
> >>
> >> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> >> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
> >> > No, DNSSEC isn't supported in any version of Windows.
> >> >
> >> > --
> >> > Steve Riley
> >> > steve.riley@microsoft.com
> >> > http://blogs.technet.com/steriley
> >> > http://www.protectyourwindowsnetwork.com
> >> >
> >> >
> >> >
> >> > "totojepast" <totojepast@razdva.cz> wrote in message
> >> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
> >> >> Is the Windows XP DNS resolver able to check the validity of the DNS
> >> >> data using DNSSEC? Is this feature turned on by default?
> >> >>
> >> >> And does the Windows Server support DNSSEC for publishing the public
> >> >> DNS records?
> >> >

Steve Riley [MSFT]

Signed name resolution records won't address those issues.

Say you want to connect to WebServerA. Say you want a way to be assured that
you are, indeed, connecting to WebServerA, not some imposter. Well, there
already exists a mechanism to do that: SSL. SSL authenticates the server to
your computer, because your computer trusts the organization that issued the
server's certificate.

Say you want to connect to FileServerB. Say you want a way to be assured
that you are, indeed, connecting to FileServerB, not some imposter. Well,
there already exists a mechanism to do that: IPsec. IPsec authenticates the
server to your computer (and your computer to the server), because both the
server and your computer trust the issuers of their respective certificates.

See, this is really what matters. Spoofing DNS is a useless attack if the
servers are protected by SSL or IPsec. Bolting cryptography onto DNS will be
monumentally expensive to deploy across the Internet and doesn't address the
real question. DNSSEC answers this question: "Can I trust the answer given
to my name resolution request?" Yet the more important question is "Can I
trust that I'm going to the right server?" And this question is already
answered by SSL and IPsec.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"Dan" <Dan@discussions.microsoft.com> wrote in message
news:0A907A01-2DC6-4A22-B075-F2DE8C4BBABA@microsoft.com...
> How about the problems on web sites with errors about missing scripts and
> lost objects and other stuff?
>
> "Steve Riley [MSFT]" wrote:
>
>> What problem can you solve with DNSSEC that is not already solved with
>> IPsec
>> or SSL?
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:7571D3C3-6A37-47E9-A937-CD6B198B400B@microsoft.com...
>> > Will DNSSEC be fully supported in future versions of Windows, Steve?
>> > In
>> > addition, will any current versions of Windows be updated to fully
>> > support
>> > it
>> > via cryptography, authentication and/or verification, Steve including
>> > but
>> > not
>> > limited to Windows Server 2003?
>> >
>> > "Steve Riley [MSFT]" wrote:
>> >
>> >> Clarification. There is _limited_ support: Windows Server 2003 DNS can
>> >> act
>> >> as a secondary DNS server for an existing DNSSEC-compliant zone.
>> >> Windows
>> >> clients will cache DNSSEC resource records, but perform no
>> >> cryptography,
>> >> authentication, or verification.
>> >>
>> >> More information here:
>> >> http://technet.microsoft.com/en-us/l.../cc728328.aspx
>> >>
>> >> --
>> >> Steve Riley
>> >> steve.riley@microsoft.com
>> >> http://blogs.technet.com/steriley
>> >> http://www.protectyourwindowsnetwork.com
>> >>
>> >>
>> >>
>> >> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
>> >> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
>> >> > No, DNSSEC isn't supported in any version of Windows.
>> >> >
>> >> > --
>> >> > Steve Riley
>> >> > steve.riley@microsoft.com
>> >> > http://blogs.technet.com/steriley
>> >> > http://www.protectyourwindowsnetwork.com
>> >> >
>> >> >
>> >> >
>> >> > "totojepast" <totojepast@razdva.cz> wrote in message
>> >> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
>> >> >> Is the Windows XP DNS resolver able to check the validity of the
>> >> >> DNS
>> >> >> data using DNSSEC? Is this feature turned on by default?
>> >> >>
>> >> >> And does the Windows Server support DNSSEC for publishing the
>> >> >> public
>> >> >> DNS records?
>> >> >

Paul Adare - MVP

On Tue, 26 Aug 2008 08:49:01 -0700, Dan wrote:

> How about the problems on web sites with errors about missing scripts and
> lost objects and other stuff?

The error you mentioned on the MSNBC site the other day was simply that, a
coding error on the web site, not some malicious attack as you stated in
your post.
You seem to think that the DNS poisoning issue is currently a big problem
and it simply is not.
You're like the proverbial man with a hammer, to him, everything looks like
a nail.

--
Paul Adare
MVP - Identity Lifecycle Manager
http://www.identit.ca
Variables won't; constants aren't. -- Osborn

FromTheRafters

Yeah, it is important. Akin to the way you should get
programs only from trusted sources. But how can
anyone verify the validity of the data returned? AV
is in place to stopgap the bad information from trusted
source issue when programs are the concern, do you
think it is completely unnecessary to stopgap the same
sort of thing for poisoned DNS data?

Sure, if DNS poisoning is not very common, then there
is little risk - and crypto is like a 12gauge flyswatter.

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:840985B2-477A-4757-BBC2-852DD7EBDEF1@microsoft.com...
> Signed name resolution records won't address those issues.
>
> Say you want to connect to WebServerA. Say you want a way to be assured
> that you are, indeed, connecting to WebServerA, not some imposter. Well,
> there already exists a mechanism to do that: SSL. SSL authenticates the
> server to your computer, because your computer trusts the organization
> that issued the server's certificate.
>
> Say you want to connect to FileServerB. Say you want a way to be assured
> that you are, indeed, connecting to FileServerB, not some imposter. Well,
> there already exists a mechanism to do that: IPsec. IPsec authenticates
> the server to your computer (and your computer to the server), because
> both the server and your computer trust the issuers of their respective
> certificates.
>
> See, this is really what matters. Spoofing DNS is a useless attack if the
> servers are protected by SSL or IPsec. Bolting cryptography onto DNS will
> be monumentally expensive to deploy across the Internet and doesn't
> address the real question. DNSSEC answers this question: "Can I trust the
> answer given to my name resolution request?" Yet the more important
> question is "Can I trust that I'm going to the right server?" And this
> question is already answered by SSL and IPsec.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com
>
>
>
> "Dan" <Dan@discussions.microsoft.com> wrote in message
> news:0A907A01-2DC6-4A22-B075-F2DE8C4BBABA@microsoft.com...
>> How about the problems on web sites with errors about missing scripts and
>> lost objects and other stuff?
>>
>> "Steve Riley [MSFT]" wrote:
>>
>>> What problem can you solve with DNSSEC that is not already solved with
>>> IPsec
>>> or SSL?
>>>
>>> --
>>> Steve Riley
>>> steve.riley@microsoft.com
>>> http://blogs.technet.com/steriley
>>> http://www.protectyourwindowsnetwork.com
>>>
>>>
>>>
>>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>>> news:7571D3C3-6A37-47E9-A937-CD6B198B400B@microsoft.com...
>>> > Will DNSSEC be fully supported in future versions of Windows, Steve?
>>> > In
>>> > addition, will any current versions of Windows be updated to fully
>>> > support
>>> > it
>>> > via cryptography, authentication and/or verification, Steve including
>>> > but
>>> > not
>>> > limited to Windows Server 2003?
>>> >
>>> > "Steve Riley [MSFT]" wrote:
>>> >
>>> >> Clarification. There is _limited_ support: Windows Server 2003 DNS
>>> >> can
>>> >> act
>>> >> as a secondary DNS server for an existing DNSSEC-compliant zone.
>>> >> Windows
>>> >> clients will cache DNSSEC resource records, but perform no
>>> >> cryptography,
>>> >> authentication, or verification.
>>> >>
>>> >> More information here:
>>> >> http://technet.microsoft.com/en-us/l.../cc728328.aspx
>>> >>
>>> >> --
>>> >> Steve Riley
>>> >> steve.riley@microsoft.com
>>> >> http://blogs.technet.com/steriley
>>> >> http://www.protectyourwindowsnetwork.com
>>> >>
>>> >>
>>> >>
>>> >> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
>>> >> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
>>> >> > No, DNSSEC isn't supported in any version of Windows.
>>> >> >
>>> >> > --
>>> >> > Steve Riley
>>> >> > steve.riley@microsoft.com
>>> >> > http://blogs.technet.com/steriley
>>> >> > http://www.protectyourwindowsnetwork.com
>>> >> >
>>> >> >
>>> >> >
>>> >> > "totojepast" <totojepast@razdva.cz> wrote in message
>>> >> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
>>> >> >> Is the Windows XP DNS resolver able to check the validity of the
>>> >> >> DNS
>>> >> >> data using DNSSEC? Is this feature turned on by default?
>>> >> >>
>>> >> >> And does the Windows Server support DNSSEC for publishing the
>>> >> >> public
>>> >> >> DNS records?
>>> >> >

Steve Riley [MSFT]

Cache poisoning is only a means to an end. The attacker's _real_ goal is to
get you on his server rather than the one you actually want. So ensuring
authenticity of the legitimate server is the proper defense here, rather
than worrying about the plumbing. And we can accomplish that today with SSL
and IPsec.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com



"FromTheRafters" <erratic@ne.rr.com> wrote in message
news:er3ykC#BJHA.1228@TK2MSFTNGP02.phx.gbl...
> Yeah, it is important. Akin to the way you should get
> programs only from trusted sources. But how can
> anyone verify the validity of the data returned? AV
> is in place to stopgap the bad information from trusted
> source issue when programs are the concern, do you
> think it is completely unnecessary to stopgap the same
> sort of thing for poisoned DNS data?
>
> Sure, if DNS poisoning is not very common, then there
> is little risk - and crypto is like a 12gauge flyswatter.
>
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:840985B2-477A-4757-BBC2-852DD7EBDEF1@microsoft.com...
>> Signed name resolution records won't address those issues.
>>
>> Say you want to connect to WebServerA. Say you want a way to be assured
>> that you are, indeed, connecting to WebServerA, not some imposter. Well,
>> there already exists a mechanism to do that: SSL. SSL authenticates the
>> server to your computer, because your computer trusts the organization
>> that issued the server's certificate.
>>
>> Say you want to connect to FileServerB. Say you want a way to be assured
>> that you are, indeed, connecting to FileServerB, not some imposter. Well,
>> there already exists a mechanism to do that: IPsec. IPsec authenticates
>> the server to your computer (and your computer to the server), because
>> both the server and your computer trust the issuers of their respective
>> certificates.
>>
>> See, this is really what matters. Spoofing DNS is a useless attack if the
>> servers are protected by SSL or IPsec. Bolting cryptography onto DNS will
>> be monumentally expensive to deploy across the Internet and doesn't
>> address the real question. DNSSEC answers this question: "Can I trust the
>> answer given to my name resolution request?" Yet the more important
>> question is "Can I trust that I'm going to the right server?" And this
>> question is already answered by SSL and IPsec.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>>
>>
>>
>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>> news:0A907A01-2DC6-4A22-B075-F2DE8C4BBABA@microsoft.com...
>>> How about the problems on web sites with errors about missing scripts
>>> and
>>> lost objects and other stuff?
>>>
>>> "Steve Riley [MSFT]" wrote:
>>>
>>>> What problem can you solve with DNSSEC that is not already solved with
>>>> IPsec
>>>> or SSL?
>>>>
>>>> --
>>>> Steve Riley
>>>> steve.riley@microsoft.com
>>>> http://blogs.technet.com/steriley
>>>> http://www.protectyourwindowsnetwork.com
>>>>
>>>>
>>>>
>>>> "Dan" <Dan@discussions.microsoft.com> wrote in message
>>>> news:7571D3C3-6A37-47E9-A937-CD6B198B400B@microsoft.com...
>>>> > Will DNSSEC be fully supported in future versions of Windows, Steve?
>>>> > In
>>>> > addition, will any current versions of Windows be updated to fully
>>>> > support
>>>> > it
>>>> > via cryptography, authentication and/or verification, Steve including
>>>> > but
>>>> > not
>>>> > limited to Windows Server 2003?
>>>> >
>>>> > "Steve Riley [MSFT]" wrote:
>>>> >
>>>> >> Clarification. There is _limited_ support: Windows Server 2003 DNS
>>>> >> can
>>>> >> act
>>>> >> as a secondary DNS server for an existing DNSSEC-compliant zone.
>>>> >> Windows
>>>> >> clients will cache DNSSEC resource records, but perform no
>>>> >> cryptography,
>>>> >> authentication, or verification.
>>>> >>
>>>> >> More information here:
>>>> >> http://technet.microsoft.com/en-us/l.../cc728328.aspx
>>>> >>
>>>> >> --
>>>> >> Steve Riley
>>>> >> steve.riley@microsoft.com
>>>> >> http://blogs.technet.com/steriley
>>>> >> http://www.protectyourwindowsnetwork.com
>>>> >>
>>>> >>
>>>> >>
>>>> >> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
>>>> >> news:5CCD3A14-68B3-471F-9328-D1ED272FD113@microsoft.com...
>>>> >> > No, DNSSEC isn't supported in any version of Windows.
>>>> >> >
>>>> >> > --
>>>> >> > Steve Riley
>>>> >> > steve.riley@microsoft.com
>>>> >> > http://blogs.technet.com/steriley
>>>> >> > http://www.protectyourwindowsnetwork.com
>>>> >> >
>>>> >> >
>>>> >> >
>>>> >> > "totojepast" <totojepast@razdva.cz> wrote in message
>>>> >> > news:4cdf919f-4cba-4940-aead-fb1d460c0fbe@k13g2000hse.googlegroups.com...
>>>> >> >> Is the Windows XP DNS resolver able to check the validity of the
>>>> >> >> DNS
>>>> >> >> data using DNSSEC? Is this feature turned on by default?
>>>> >> >>
>>>> >> >> And does the Windows Server support DNSSEC for publishing the
>>>> >> >> public
>>>> >> >> DNS records?
>>>> >> >
>
>

~BD~

"Paul Adare - MVP" <pkadare@gmail.com> wrote in message
news:s5kai30oe5ub.tl3rblibm2lf.dlg@40tude.net...
> On Tue, 26 Aug 2008 08:49:01 -0700, Dan wrote:
>
>> How about the problems on web sites with errors about missing scripts and
>> lost objects and other stuff?
>
> The error you mentioned on the MSNBC site the other day was simply that, a
> coding error on the web site, not some malicious attack as you stated in
> your post.
> You seem to think that the DNS poisoning issue is currently a big problem
> and it simply is not.
> You're like the proverbial man with a hammer, to him, everything looks
> like
> a nail.
>
> --
> Paul Adare
> MVP - Identity Lifecycle Manager
> http://www.identit.ca
> Variables won't; constants aren't. -- Osborn


Paul,

Your web site says "IdentIT is offering public training on ILM 2007
Certificate Management. The course covers the fundamentals of ILM 2007
Certificate Management and provides you with hands-on experience with the
product before deploying ILM 2007 Certificate Management in your
organization.
The following dates have been booked for ILM 2007 Training:

a.. Mississauga, Ontario, Canada - November 13 - 16, 2007 - Click here to
register!

b.. New York City, NY, USA - TBA"

http://www.identit.ca/clm.html

I've mentioned this before, but no action has been taken to correct matters
(2007 has long gone!)

Would you like to borrow a hammer? <wink>

Dave