TU7 DNSSEC and Windows: Get Ready for a New DNS!

October 19th, 2010

11:15 AM - 12:30 PM

Prerequisite: None

Mark Minasi

IT Consultant, Author, Speaker


Question: when is your bank's Web site NOT your bank's Web site?

Answer: after some criminal hijacks your bank's DNS domain, fooling you and other bank customers into divulging your usernames and passwords to that criminal's Web server. (And anti-phishing software can't help here!)

DNS was long considered to be the safe, secure bedrock of the Internet. In the past few years, however, an age-old, fundamental set of DNS vulnerabilities have led to attack approaches like the online banking theft scenario (which, by the way, is not simply a fantasy -- a proof-of-concept attack of its type unfortunately worked quite well). What to do? The answer among most Internet infrastructure experts is to implement a series of DNS extensions collectively called "DNSSEC," a technology first proposed in 1997.

Despite DNSSEC's age, you've probably either never heard of it or never had a reason to care much... but that's all changing. Since 2009, DNSSEC implementation has kicked into high gear. Many important top-level domains like .gov, .org and much of the root zone are now on board with DNSSEC, with .com and .net compliance soon to follow.

The good news, then, is that DNSSEC's finally getting some traction and so the bad guys' opportunity to seize control of DNS is being steadily eradicated. The bad news is that unless your Windows client and server software understand DNSSEC, then you and your users sadly get no protection from DNSSEC at all. In order to play in (and benefit from) this secure new world, you need to understand how to configure and maintain DNSSEC-smart systems.

Join uber-DNS-geek Mark Minasi in a look at what exact problem DNSSEC tries to solve, how it does it, and how Windows Server 2008 R2 and Windows 7 implement that solution. DNSSEC is one of the foremost "gotta learn it" technologies of the next couple of years even if you DON'T plan to sign your zone, so don't miss this talk from the only guy who can explain DNS things and still keep you awake!