Deploy DNSSEC with Windows Server 2012


Applies To: Windows Server 2012 R2, Windows Server 2012

Use the following concepts and procedures to deploy Domain Name System Security Extensions (DNSSEC) in Windows Server 2012 or in Windows Server 2012 R2.

Deploying DNSSEC

To deploy DNSSEC, review DNSSEC conceptual information below, and then use the DNSSEC deployment checklists that are provided in this guide.

DNSSEC concepts

  • Overview of DNSSEC: Provides information about how DNSSEC works.

  • DNS Servers: Describes DNSSEC support in Windows Server.

  • DNS Clients: Describes the behavior of security-aware and non-security-aware DNS clients.

  • DNS Zones: Provides information about zone signing and unsigning with Windows PowerShell or DNS Manager.

  • Trust Anchors: Describes trust anchors, which are public cryptographic keys that must be installed on DNS servers to validate DNSSEC data.

  • The NRPT: Introduces and provides details about the Name Resolution Policy Table (NRPT).

  • Why DNSSEC: Describes risks and benefits of DNSSEC.

  • Stage a DNSSEC Deployment: Provides steps and considerations to help introduce DNSSEC to your environment.

  • DNSSEC Performance Considerations: Describes the impact of zone signing on a DNS infrastructure.

  • DNSSEC Requirements: Describes the requirements for deploying DNSSEC.

DNSSEC deployment checklists



Checklist: Deploy DNSSEC

Use this parent checklist to get started deploying DNSSEC.

Checklist: Sign a Zone

Sign a DNS zone and verify DNSSEC signing.

Checklist: Distribute Trust Anchors

Export from authoritative DNS servers and import or add trust anchors to validating DNS servers.

Checklist: Deploy DNSSEC Policies to DNS Clients

Configure and verify name resolution policy.

Checklist: Review and Manage a Signed Zone

Administer your signed zone.

Checklist: Revert to an Unsigned Zone

Unsign a zone.

Checklist: Manage Signing Keys

Review and replace zone signing keys.

Checklist: Move the Key Master Role

Change the DNS server that is designated to be the Key Master.

Checklist: Reconfigure Zone Signing Parameters on a Signed Zone

Change zone signing parameters.

Checklist: Perform an Emergency Key Revocation

Unsign a zone and replace signing keys.

Checklist: Perform a Manual Key Rollover

Roll over signing keys manually and update trust anchors.

See also

Overview of DNSSEC

DNSSEC in Windows

DNSSEC Deployment Planning

Appendix A: DNSSEC Terminology

Appendix B: Windows PowerShell for DNS Server