Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo
Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://icksk.dnssek.info/fauxroot.html (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011. RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv. I know this should not be new info but just call me cautious. The steps I took are at https://icksk.dnssek.info/w2k16howto.html if you want to replicate. Hope it helps. -Rick
Hi Rick Your observations are as expected as there is no change in DNSSEC rollovers from 2012R2 to 2016 server Thanks Ashu -----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Richard Lamb Sent: Monday, June 26, 2017 6:04 AM To: ksk-rollover@icann.org Cc: DNSSEC Coordination (dnssec-coord@elists.isoc.org) <dnssec-coord@elists.isoc.org> Subject: [ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnsse... (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011. RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv. I know this should not be new info but just call me cautious. The steps I took are at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnsse... if you want to replicate. Hope it helps. -Rick _______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.or...
Thank you for the original help on this Ashu (and patience with me). Over the past year I have been getting more interest in classes in dnssec and your server. Best Rick Sent from my iPhone
On Jun 26, 2017, at 3:12 AM, Kumar Ashutosh <Kumar.Ashutosh@microsoft.com> wrote:
Hi Rick Your observations are as expected as there is no change in DNSSEC rollovers from 2012R2 to 2016 server
Thanks Ashu
-----Original Message----- From: ksk-rollover-bounces@icann.org [mailto:ksk-rollover-bounces@icann.org] On Behalf Of Richard Lamb Sent: Monday, June 26, 2017 6:04 AM To: ksk-rollover@icann.org Cc: DNSSEC Coordination (dnssec-coord@elists.isoc.org) <dnssec-coord@elists.isoc.org> Subject: [ksk-rollover] Windows Server 2016 Accelerated DNSSEC Root Rollover HowTo
Given the Infoblox note on this list and recently being (pleasantly) surprised by my students at the number of Windows DNS resolver installations out there considering DNSSEC, I felt the need to run through the exercise of stress testing Win Server 2016 DNS against accelerated RFC5011 rollover https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnsse... (did Win Server 2012 R2 a while back). The platform follows the root key rollover steps in a continuous accelerated fashion and has been operation since 2015 testing against various resolvers specially configured to work with accelerated RFC5011.
RESULT: I saw no problems with Windows Server 2016 out of the box. The DNS server properly tracked continual accelerated root key rolls (ever 27 minutes) with no validation failures and keys recorded in C:\windows\system32\dns\rfc5011.csv.
I know this should not be new info but just call me cautious.
The steps I took are at https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Ficksk.dnsse... if you want to replicate.
Hope it helps. -Rick
_______________________________________________ ksk-rollover mailing list ksk-rollover@icann.org https://na01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.icann.or...
participants (2)
-
Kumar Ashutosh -
Richard Lamb