In the "C:\Windows\System32\dns" folder of your DNS servers (primary and secondary, if applicable), you will find in particular :
On the master DNS server designated as "Key Master", you will also find :
In the file of our forward lookup zone (ex : informatiweb.lan.dns) that we have just signed, you will also see the keys used to sign the records of our DNS zone.
Since Windows 8 and its server version (2012), a new PowerShell component has appeared : Resolve-DnsName.
With this PowerShell component, you will now be able to obtain secure DNS responses (DNSSEC).
Unlike the old nslookup utility, which still exists, but uses an internal DNS client that is not compatible with DNSSEC.
For the moment, if I try to know the IP address corresponding to my "web-ns.informatiweb.lan" DNS record from my secure DNS server with DNSSEC, my DNS server will simply send me the classic DNS response.
Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan
To force my computer to request a genuine DNSSEC response with the "Resolve-DnsName" command, I would have to add the "-dnssecok" parameter.
Resolve-DnsName web-ns.informatiweb.lan -server ns1.informatiweb.lan -dnssecok
However, for this to be automatic for your zone(s), you only need to configure a group policy (or a local policy if your clients are not linked to an Active Directory).
To do this, go to "Computer Configuration -> Windows Settings -> Name Resolution Policy".
Finally, click Create.
And don't forget to click on the Apply button at the bottom.
Now, even if you don't specify the "-dnssecok" parameter, your computer will necessarily receive a DNSSEC response for the domain (and its subdomains) previously specified.
Source : Example DNS queries
To remove the signature from the DNS zone, right-click on your DNS zone and click on : DNSSEC -> Unsign the Zone
The "Unsign zone" wizard is displayed.
The zone has been unsigned.
To have the DNS records for the zone signature disappear, simply refresh the display of your DNS zone.
Now, you find your classic DNS zone without signature.
Windows Server 1/15/2013
Windows Server 4/15/2018
Windows Server 4/25/2018
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2022 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.