Checklist: Implementing DNSSEC

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

This checklist provides links to important concepts and procedures you can use to implement DNSSEC. It also contains links to subordinate checklists that will help you complete the tasks that are required to implement this design. Verify that your DNS infrastructure is operating as expected after performing each procedure.

Note

When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist: Implementing DNSSEC

  Task Reference

Review key concepts for DNSSEC.

Introduction to DNSSEC

Understanding DNSSEC in Windows

Review deployment staging recommendations, hardware and software requirements, and key management considerations for DNSSEC.

Upgrade or deploy DNS servers running Windows Server® 2008 R2 as required, and verify your DNS infrastructure is performing as expected.

DNSSEC Deployment Planning

Review zone signing requirements, choose a key rollover mechanism, and identify the secure computers and DNSSEC protected zones for your staged deployment.

Checklist: Preparing to Deploy DNSSEC

Generate and back up keys, then sign and reload the DNSSEC protected zone.

Verify that your DNS infrastructure is performing as expected before proceeding to the next step.

Checklist: Signing a Zone

Distribute trust anchors to all non-authoritative DNS servers that will perform DNSSEC validation of data from the signed zone.

Verify that your DNS infrastructure is performing as expected before proceeding to the next step.

Checklist: Configuring and Distributing Trust Anchors

Deploy certificates and IPsec policy to your DNS servers.

Verify that your DNS infrastructure is performing as expected before proceeding to the next step.

Checklist: Configuring IPsec Policy on the DNS Server

Configure Name Resolution Policy Table (NRPT) settings and deploy IPsec policy to client computers.

Verify that your DNS infrastructure is performing as expected before proceeding to the next stage of your DNSSEC deployment plan.

Checklist: Deploying DNSSEC and IPsec on the DNS client

See Also

Concepts

Implementing a Secure DNS Design