2

How can I add SSHFP records (or any arbitrary records) on Windows DNS Server?

I'm running a DC with Windows 2012 R2 and would like to put the SSH keys of the Unix servers on the DNS.

84104
  • 12,905
  • 6
  • 45
  • 76
Vinícius Ferrão
  • 5,520
  • 11
  • 55
  • 95
  • 3
    Before you get too much further, be aware that SSH clients *will not* be able to leverage `SSHFP` unless they are being run on a machine whose resolver library has EDNS0 extensions enabled. (not a default under most flavors of Redhat) Additionally, the zone containing the DNS record must be signed. These conditions are a baseline requirement for `SSHFP` to function and most IT environments will not meet them. – Andrew B Mar 14 '15 at 00:35
  • 2
    I disagree not implementing something only because the other side isn't implemented yet. If the same argument is used on both ends, good ideas will never get implemented at all. – Esa Jokinen Apr 16 '15 at 18:03

2 Answers2

4

As was noted in another answer, none of the Microsoft tools for MSDNS (dnsmgmt.msc, dnscmd, Add-DnsServerResourceRecord) appear to have any ability to add an SSHFP record.

Additionally, these tools also don't appear to have the ability to add records of arbitrary types using the standardized generic opaque record format (ie, type<typeno> # <length> <hexencodedRRdata>).

However, MSDNS does support the dynamic update protocol, something which actually does make it possible to add SSHFP records to zones hosted MSDNS!

While adding the record does work and the record is queryable afterwards, I do suggest caution as you're likely in mostly untested territory. This may not be suitable for production use.

These initial steps can be done through whichever method you prefer (dnsmgmt.msc works fine, for instance):

  • Ensure that the relevant zone is signed or otherwise enable signing (you'll want to read up on DNSSEC if you are not already familiar)
  • Enable dynamic updates for the relevant zone

Then, using the regular nsupdate and dig tools from BIND:

C:\Users\Administrator\Downloads\BIND9.10.2.x64>nsupdate
> server localhost
> zone example.com
> update add foo.example.com 3600  IN  SSHFP  2 1 CC17F14DA60CF38E809FE58B10D0F22680D59D08
> send
>

And to verify that the record exists:

C:\Users\Administrator\Downloads\BIND9.10.2.x64>dig @localhost foo.example.com sshfp +dnssec

; <<>> DiG 9.10.2 <<>> @localhost foo.example.com sshfp +dnssec
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53553
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4000
;; QUESTION SECTION:
;foo.example.com.               IN      SSHFP

;; ANSWER SECTION:
foo.example.com.        3600    IN      SSHFP   2 1 CC17F14DA60CF38E809FE58B10D0F22680D59D08
foo.example.com.        3600    IN      RRSIG   SSHFP 8 3 3600 20150426201836 20150416191836 46761 example.com. rO98HgBwZSCdsHIf/svgKV+ShLGDonandqrRE1Fe0RdhiJiK
S/B0c28g vFCVijPqDBhxbCsY/OBh5AsF/LpZMZjE5erIIliq6E8yIlPMyiN+MabQ Sxm8Pwfo9V/GeiG7MlmgBOArHp+rYWhA2X3GFpzb9xTiequppbB1GMao iz8=

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Apr 16 20:32:45 Coordinated Universal Time 2015
;; MSG SIZE  rcvd: 249


C:\Users\Administrator\Downloads\BIND9.10.2.x64>
Community
  • 1
Håkan Lindqvist
  • 35,011
  • 5
  • 69
  • 94
  • 1
    How cool is that! Note that this only works **from Windows Server 2012** since 2008 R2 doesn't support signing with zones that have dynamic updates enabled. – Esa Jokinen Apr 16 '15 at 20:46
2

Shortly: SSHFP is currently not available and I am waiting for it, too.

Explanation:

Windows DNS Server has very limited options for RRType to prevent you adding incompatible data. While the GUI has specific fields for every part of the record, some of them as drop down menus, also dnscmd /RecordAdd and PowerShell Cmdlet Add-DnsServerResourceRecord has the same limitations for RRTypes and their data.

RRType is currently limited to

  • RFC based A, AAAA, AFSDB, CNAME, DHCID, DNAME, HINFO, ISDN, MX, NS, PTR, RP, RT, SRV, TXT, WKS & X25
  • Windows specific WINS, WINSR & ATMA.
  • DNSSEC-related record types are created automatically during signing, thus unavailable.

The supposed future SSHFP type would therefore have three parameters according to RFC4255:

dnscmd /RecordAdd <Zone> <NodeName> SSHFP <Algorithm> <FP type> <Fingerprint>

If SSHFP RRType becomes available, as Andrew B mentioned, you must first meet two conditions:

  • You must have DNSSEC zone and the SSHFP record must be signed. Otherwise it will not improve your security at all.
  • The resolver library of the machine running SSH must have EDNS0 extensions enabled.

Therefore, the first question to ask is how to enable DNSSEC on Windows server. It's good that you have Windows Server 2012 R2, since the support in 2008 R2 was limited to offline signing of static zones and it didn't support NSEC3 and RSA/SHA-2.

Since this question wasn't about DNSSEC on Windows Server in general, I'll only leave this rather practical TechNet article as homework: Step-by-Step: Demonstrate DNSSEC in a Test Lab

Community
  • 1
Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129