Share via

Deploying DNS Security Extensions (DNSSEC)

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

This section contains procedures you can use to deploy DNS Security Extensions (DNSSEC) on your network.

DNSSEC support in Windows Server® 2008 R2 is intended as a solution for file-backed static zones and is not intended to be used with dynamic, Active Directory-integrated DNS zones. If a zone is DNSSEC-signed on a DNS server running Windows Server 2008 R2, all types of dynamic updates (secure and non-secure) will be disabled on that zone. DNS zones that contain Active Directory-joined client resource records require dynamic updates for refresh of SRV and other records to function normally. It is recommended that you do not sign these internal, domain zones with DNSSEC on a server running Windows Server 2008 R2.

DNSSEC in Windows Server® 2012 contains significant enhancements, including support for online signing of dynamic DNS zones. Before signing any zone with DNSSEC, it is critical that you understand and carefully consider additional DNSSEC related maintenance requirements.

Deploying DNSSEC

DNSSEC adds an additional layer of protection to your network by providing validation of DNS responses. This allows client computers to trust that information they receive has not been modified or tampered with in any way.


A staged DNSSEC deployment is recommended so that you can carefully evaluate the additional administrative requirements and the effect that DNSSEC has on performance of your DNS infrastructure. For more information, see DNSSEC Deployment Planning.

DNSSEC introduces several new terms that are used in this guide. For a list of these terms with their definitions and references to the applicable Request for Comments (RFC) documentation, see DNSSEC Terminology.

For an overview of DNSSEC, see Introduction to DNSSEC.

For a description of how DNSSEC works in Windows Server 2008 R2 and Windows® 7, see Understanding DNSSEC in Windows.

For information about DNSSEC and the Name Resolution Policy Table (NRPT), see Appendix B: The Name Resolution Policy Table (NRPT).

When you have reviewed this information, complete the applicable tasks in Checklist: Implementing DNSSEC.

See Also


When to Re-sign a Zone File
Appendix C: DNSSEC PowerShell Scripts