Scribd Logo
Upload

Welcome to Scribd!

  • Windows DNS Server SANOG24-Kumar

    Uploaded by

    Ravi Nakarmi
    25 views34 pages
    The document discusses new features and performance improvements in the Windows DNS server, including: - Improved DNSSEC support with the latest RFCs, new signing algorithms, automated trust anchor rollover, and support for third-party key management. - Enhanced performance through multiple client query farms, automated key rollovers, and keeping signatures and records up-to-date with dynamic updates. - Automation of DNSSEC management tasks like signing zones, generating and rolling over keys, and updating secure delegations.

    Original Description:

    DNS

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses new features and performance improvements in the Windows DNS server, including: - Improved DNSSEC support with the latest RFCs, new signing algorithms, automated trust anchor rollover, and support for third-party key management. - Enhanced performance through multiple client query farms, automated key rollovers, and keeping signatures and records up-to-date with dynamic updates. - Automation of DNSSEC management tasks like signing zones, generating and rolling over keys, and updating secure delegations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    25 views34 pages

    Windows DNS Server SANOG24-Kumar

    Uploaded by

    Ravi Nakarmi
    The document discusses new features and performance improvements in the Windows DNS server, including: - Improved DNSSEC support with the latest RFCs, new signing algorithms, automated trust anchor rollover, and support for third-party key management. - Enhanced performance through multiple client query farms, automated key rollovers, and keeping signatures and records up-to-date with dynamic updates. - Automation of DNSSEC management tasks like signing zones, generating and rolling over keys, and updating secure delegations.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 34

    Windows DNS Server

    DNSSEC support and Performance

    Kumar Ashutosh
    Microsoft Corporation
    Overview DNSSEC

    Performance More…
    Overview
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    DNSSEC
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    ENABLING ENTERPRISE DNSSEC ROLLOUT

    §  Latest RFCs


    §  NSEC3 Support
    §  RSA/SHA-2, ECDSA Signing
    §  Automated Trust Anchor rollover
    §  Support for 3rd Party Key
    Management
    Overview DNSSEC

    Performance More…
    ENABLING ENTERPRISE DNSSEC ROLLOUT

    §  Support for Online Zone Signing.


    §  Sign/unsign/change DNSSEC settings on a live
    zone
    §  Add/remove records dynamically on a signed
    zone
    §  Improved DNS/DNSSEC server performance
    §  Trust Anchor Management
    §  Root Trust Anchor Management
    §  Managing Zone specific Trust Anchors
    §  Signed Delegations
    §  RFC 5011 for Automated, authenticated and
    authorized update of Trust Anchors
    Overview DNSSEC

    Performance More…
    ENABLING ENTERPRISE DNSSEC ROLLOUT

    Complete Powershell Support


    Overview DNSSEC

    Performance More…
    ENABLING ENTERPRISE DNSSEC ROLLOUT

    §  Automated re-signing on static and


    dynamic updates
    §  Automated key rollovers
    §  Automated signature refresh
    §  Automated updating of secure
    delegations
    §  Automated distribution and updating of
    Trust Anchors - RFC 5011
    Overview DNSSEC

    Performance More…

    "   DNS Manager wizard walks


    admin through signing process
    "   Generates Keys for signing
    zone on the first Server.
    "   Support for CNG compliant third
    party KSPs
    "   Signs it’s own copy of the zone
    Overview DNSSEC

    Performance More…

    "   Single location for all key generation and management


    "   Responsible for automated key rollover
    "   Administrator designates one server to be the key
    master
    "   First DNSSEC server becomes KM
    Overview DNSSEC

    "   Zone Signing Key Rollover: Performance More…

    "   Uses Pre-Publish Mechanism


    "   Key Singing key Rollover :
    "   Uses Double Signature Mechanism
    "   Trust Anchor Management: RFC 5011
    and Hold Down Time
    "   Key Retirals
    Overview DNSSEC

    "   Automated key rollovers Performance More…

    "   Key rollover frequency is


    configured per zone "   Signatures stay up-to-date
    "   Key master automatically "   New records are signed
    generates new keys automatically when zone data
    changes
    "   Secure delegations from "   Static and dynamic updates
    the parent are also "   NSEC records are kept up to date
    automatically updated
    "   Manual Rollovers are also
    available
    Performance
    Overview DNSSEC

    "  Multiple Client Query Farms:


    Performance More…

    "  Authoritative server


    "  Measurement server

    Query Farm 1 Processor(s):                                           Intel(R)  Xeon(R)  CPU  E5-­‐2630  0  @  2.30GHz  

    … Client n
      Maximum  speed:   2.30  GHz  
    Client 1

      Sockets:   2  
      Cores:   12  
      Logical  processors:   24  
    Authoritative   Virtualization:   Enabled  
    Measurement DNS Server
    server   L1  cache:   768  KB  
      L2  cache:   3.0  MB  
      L3  cache:   30.0  MB  
    Query Farm 2
    Total  Physical  Memory:             80  GB    
    Client 1 … Client N
    Network  Card(s):                           Broadcom  NetXtreme  Gigabit  Ethernet  
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Nodes/second signed Memory factor

    350.00 7.00

    300.00 6.00

    250.00 5.00

    200.00 4.00

    150.00 3.00

    100.00 2.00

    50.00 1.00

    0.00 0.00
    Overview DNSSEC

    Performance More…
    Following slides are recommendations based on a server with following
    configuration. The setting may differ from hardware to hardware:
    Overview Deployment

    Performance More…

    New-NetFirewallRule -DisplayName <String> -Direction Inbound -Action Allow -Protocol UDP -


    LocalPort 53 -LocalOnlyMapping $true -Enabled True
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview Deployment

    Performance New in DNS


    Overview DNSSEC

    Performance More…

    0001 = 1 ( CPU 1) 00010000 = 16 ( CPU 5)


    0010 = 2 ( CPU 2) 00100000 = 32 (CPU 6)
    0100 = 4 ( CPU 3 ) 01000000 = 64 (CPU 7)
    1000 = 8 ( CPU 4 ) .....
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…
    Overview DNSSEC

    Performance More…

    mailto:dns_msft@outlook.com
    Windows DNS Server Users Mailing List
    mailto:dns@microsoft.com
    Questions Suggestions

    Feedback ?

    You might also like