Sign your DNS zones with DNSSEC on Windows Server 2012 / 2012 R2

  • Windows Server
  • DNS
  • 2/3

5. Zone files, trust anchors, ...

In the "C:\Windows\System32\dns" folder of your DNS servers (primary and secondary, if applicable), you will find in particular :

  • forward lookup zones files
  • reverse lookup zones files (those ending in : in-addr.arpa.dns)

On the master DNS server designated as "Key Master", you will also find :

  • "keyset-<zone name>" files : correspond to DNSKEY RRSET (or KEYSET)
  • "dsset-<zone name>" files : correspond to DS RRSET (or DSSET)
  • the "TrustAnchors.dns" file which contains the trust points or trust anchors (if your DNS server is not an Active Directory domain controller)

In the file of our forward lookup zone (ex : informatiweb.lan.dns) that we have just signed, you will also see the keys used to sign the records of our DNS zone.

6. Make a DNSSEC request to a DNS server secured with DNSSEC

Since Windows 8 and its server version (2012), a new PowerShell component has appeared : Resolve-DnsName.
With this PowerShell component, you will now be able to obtain secure DNS responses (DNSSEC).
Unlike the old nslookup utility, which still exists, but uses an internal DNS client that is not compatible with DNSSEC.

For the moment, if I try to know the IP address corresponding to my "web-ns.informatiweb.lan" DNS record from my secure DNS server with DNSSEC, my DNS server will simply send me the classic DNS response.

Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan

To force my computer to request a genuine DNSSEC response with the "Resolve-DnsName" command, I would have to add the "-dnssecok" parameter.

Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan -dnssecok

However, for this to be automatic for your zone(s), you only need to configure a group policy (or a local policy if your clients are not linked to an Active Directory).
To do this, go to "Computer Configuration -> Windows Settings -> Name Resolution Policy".
Then :

  • select "Suffix" from the list (if not already done)
  • specify the root domain of your DNS zone secured with DNSSEC
  • in the DNSSEC tab, check the "Enable DNSSEC in this rule" and "Require DNS clients to check that name and address data has been validated by the DNS server" boxes.

Finally, click Create.

And don't forget to click on the Apply button at the bottom.

Now, even if you don't specify the "-dnssecok" parameter, your computer will necessarily receive a DNSSEC response for the domain (and its subdomains) previously specified.

Source : Example DNS queries

7. Delete the DNS zone signature

To remove the signature from the DNS zone, right-click on your DNS zone and click on : DNSSEC -> Unsign the Zone

The "Unsign zone" wizard is displayed.
Click Next.

The zone has been unsigned.

To have the DNS records for the zone signature disappear, simply refresh the display of your DNS zone.

Now, you find your classic DNS zone without signature.

To see also

Comments

No comment

Share your opinion

Pinned content

Contact

® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.

Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.