Menu
InformatiWeb Pro
  • Index
  • System admin
  • Virtualization

Login

Registration Password lost ?
FR
  • Windows Server
    • WMS 2012
    • WS2012 R2
    • WS2016
  • Citrix
    • Citrix NetScaler Gateway
    • Citrix XenApp / XenDesktop
    • Citrix XenServer
  • VMware
    • VMware ESXi
    • VMware vSphere
    • VMware Workstation
  • Microsoft
    • Hyper-V
  • RAID
    • Adaptec SmartRAID
  • UPS
    • APC Back-UPS Pro
  • InformatiWeb Pro
  • System admin
  • Windows Server
  • Sign your DNS zones with DNSSEC on Windows Server 2012 / 2012 R2

Sign your DNS zones with DNSSEC on Windows Server 2012 / 2012 R2

  • Windows Server
  • DNS
  • 11 May 2018 at 09:01 UTC
  • InformatiWeb
  • 2/3
Previous page

5. Zone files, trust anchors, ...

In the "C:\Windows\System32\dns" folder of your DNS servers (primary and secondary, if applicable), you will find in particular :

  • forward lookup zones files
  • reverse lookup zones files (those ending in : in-addr.arpa.dns)

On the master DNS server designated as "Key Master", you will also find :

  • "keyset-<zone name>" files : correspond to DNSKEY RRSET (or KEYSET)
  • "dsset-<zone name>" files : correspond to DS RRSET (or DSSET)
  • the "TrustAnchors.dns" file which contains the trust points or trust anchors (if your DNS server is not an Active Directory domain controller)

In the file of our forward lookup zone (ex : informatiweb.lan.dns) that we have just signed, you will also see the keys used to sign the records of our DNS zone.

6. Make a DNSSEC request to a DNS server secured with DNSSEC

Since Windows 8 and its server version (2012), a new PowerShell component has appeared : Resolve-DnsName.
With this PowerShell component, you will now be able to obtain secure DNS responses (DNSSEC).
Unlike the old nslookup utility, which still exists, but uses an internal DNS client that is not compatible with DNSSEC.

For the moment, if I try to know the IP address corresponding to my "web-ns.informatiweb.lan" DNS record from my secure DNS server with DNSSEC, my DNS server will simply send me the classic DNS response.

Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan

To force my computer to request a genuine DNSSEC response with the "Resolve-DnsName" command, I would have to add the "-dnssecok" parameter.

Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan -dnssecok

However, for this to be automatic for your zone(s), you only need to configure a group policy (or a local policy if your clients are not linked to an Active Directory).
To do this, go to "Computer Configuration -> Windows Settings -> Name Resolution Policy".
Then :

  • select "Suffix" from the list (if not already done)
  • specify the root domain of your DNS zone secured with DNSSEC
  • in the DNSSEC tab, check the "Enable DNSSEC in this rule" and "Require DNS clients to check that name and address data has been validated by the DNS server" boxes.

Finally, click Create.

And don't forget to click on the Apply button at the bottom.

Now, even if you don't specify the "-dnssecok" parameter, your computer will necessarily receive a DNSSEC response for the domain (and its subdomains) previously specified.

Source : Example DNS queries

7. Delete the DNS zone signature

To remove the signature from the DNS zone, right-click on your DNS zone and click on : DNSSEC -> Unsign the Zone

The "Unsign zone" wizard is displayed.
Click Next.

The zone has been unsigned.

To have the DNS records for the zone signature disappear, simply refresh the display of your DNS zone.

Now, you find your classic DNS zone without signature.

Next page

Share this tutorial

Partager
Tweet

To see also

  • Why deploy DNSSEC on your DNS server ?

    Articles 5/1/2018

    Why deploy DNSSEC on your DNS server ?

  • WS 2008 - Create a DNS server

    Windows Server 1/15/2013

    WS 2008 - Create a DNS server

  • WS 2012 / 2012 R2 - Create a DNS server and delegate subdomains

    Windows Server 4/15/2018

    WS 2012 / 2012 R2 - Create a DNS server and delegate subdomains

  • WS 2012 / 2012 R2 - Create a secondary DNS server

    Windows Server 4/25/2018

    WS 2012 / 2012 R2 - Create a secondary DNS server

Comments

No comment

Share your opinion

Pinned content

  • Software (System admin)
  • Linux softwares
  • Our programs
  • Terms and conditions
  • Share your opinion

Contact

  • Guest book
  • Technical support
  • Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.