DNSSEC (Domain Name System Security Extensions) is a technology that allows (if everyone sets it up) to secure all requests and DNS responses that pass through the Internet.
Typically, DNSSEC is set up on public (or externally accessible) DNS servers because they are more exposed to hackers than the DNS servers used internally (for an intranet and / or a network with an Active Domain Directory, for example).
To learn more about DNSSEC, read our article : Why deploy DNSSEC on your DNS server and how does it work ?
Windows client computers support DNSSEC from Windows 7.
For Windows Server servers, DNSSEC is supported since Windows Server 2008 R2 and its support has been improved since the 2012 release.
Indeed, Windows Server 2008 R2 didn't support the NSEC3 and RSA/SHA-2 standards and was limited to offline signing of static zones.
Since Windows Server 2012, its support includes :
Source : Why DNSSEC | Microsoft Docs
DNSSEC can be enabled only on zones that your DNS server is authoritative.
As noted in our article about DNSSEC, you will need to distribute the trust points to other servers so that they can validate the signatures received from your DNS for your DNSSEC signed zones.
If you want to distribute them automatically, your DNS server must also be a controller.
If not, you will have to do it manually. It's up to you to choose what you prefer to do.
If you installed your DNS server at the same time as the Active Directory, these trust points will be stored in the Active Directory so that they can be replicated to your other domain controllers by replicating the Active Directory.
For that, it will be enough to make a right click "DNSSEC -> Properties" on your signed DNS zone and to go in the "Trust Anchor" tab.
Then, check the "Enable the distribution of trust anchors for this zone" check box.
However, if you have installed your DNS server separately, these trust points will be stored in the "C:\Windows\System32\dns\TrustAnchors.dns" file on the master DNS server that manages the KSK and ZSK keys.
To sign a primary DNS zone through DNSSEC, open the DNS Manager, then right-click "DNSSEC -> Sign the Zone" on your forward lookup zone.
The zone signing wizard appears.
To sign your 1st DNS zone, you have 2 possibilities :
Note that when you choose "Customize zone signing parameters", the options selected by default will be the same as if you had chosen the "Use settings to sign zone" option.
Nevertheless, for this tutorial, we will use the long version "Customize zone signing parameters" to explain the zone's signature in detail.
To begin, you will need to create a KSK key.
This key will allow you to sign other keys and may be longer than the key ZSK (which you will see later).
Click Add to create a new KSK key.
Note that you can create up to 3 KSK keys with the same encryption algorithm or create KSK keys with different encryption algorithms.
Nevertheless, only one is sufficient in most cases.
By default, the wizard will generate a new signing key (as shown in the "Key Generation" section).
Then, you will be able to choose :
Encryption algorithm :
The choice of the encryption algorithm affects the type of NSEC record that will be used for DNS records that don't exist or that no longer exist in your DNS zone.
Source : Cryptographic algorithms - Microsoft Docs
Length of the key :
The longer the key, the more secure it is.
But, the longer it is, the more resources your server will be used for the calculation of signatures.
Key storage provider :
If the keys will be distributed through the Active Directory, you must choose : Microsoft Software Key Storage Provider.
Source : KSK parameters - Microsoft Docs
Now, the wizard offers you to create a ZSK key.
This ZSK key is used to sign the data (the DNS records) of the DNS zone to sign.
Generally, these keys have a shorter validity than the KSK keys (created previously).
Click Add to create a new KSK key.
To create a new ZSK key, you find almost the same options, including the storage provider option.
If your DNS server is also a domain controller, choose: Microsoft Software Key Storage Provider.
For periods of validity, they concern :
When a DNS record doesn't exist in a zone signed with DNSSEC, your server will still respond to the user's request by certifying that this record doesn't exist in your DNS zone.
In order to be able to send an authentic response to the user, your server will use NSEC or NSEC3 records (an improved version of the NSEC).
Note that NSEC and NSEC3 are not compatible with all cipher algorithms (as previously explained).
Change the encryption algorithm for DS records if you want.
The Zone Signing Wizard appears. Then, click Finish.
Now that your DNS zone is signed, right-click on it and click on : DNSSEC -> Properties.
In the DNSSEC properties of your DNS zone, you will find all the parameters previously configured :
If your DNS server is also a domain controller, don't forget to check the "Enable the distribution of trust anchors for this zone" box in the "Trust Anchor" tab.
Then, click OK.
Click Yes to save these settings.
If you click on "Forward Lookup Zones", you will see that your zone is signed with DNSSEC and that a small padlock appeared in the icon next to the name of your DNS zone.
Note that even if the DNS zone has been signed, the padlock will not appear on your secondary DNS servers (if you have one) or on your primary DNS server if the zone was created on an older version of Windows Server (ex : 2008 R2).
Windows Server 1/15/2013
Windows Server 4/15/2018
Windows Server 4/25/2018
® InformatiWeb-Pro.net - InformatiWeb.net 2008-2021 - © Lionel Eppe - All rights reserved.
Total or partial reproduction of this site is prohibited and constitutes an infringement punishable by articles L.335-2 and following of the intellectual property Code.