This article provides general information on DNSSEC trust anchors in Windows Server 2012
In order for a server to perform DNSSEC validation of DNS responses, the server must have at least one trust anchor installed. A trust anchor corresponds to a DNS zone (domain) and provides a starting point for a chain of trust: as long as the trust anchor is validated when it is installed and hasn't expired since then, responses for that zone can be validated as well. Further, if there are secure delegations present between that zone and a child zone, responses for the child zone can also be validated.
There are two types of trust anchors:
As long as a valid trust anchor for the root (.) zone has been installed (a process covered in How to Retrieve the DNSSEC Trust Anchor for the Root DNS Zone in Windows Server 2012), a security-aware DNS server can perform validation for all zones with an intact chain of trust from the root. A given zone has an intact chain of trust from the root if the following conditions are met:
For example, the secure.testdomain.com zone's chain of trust is intact if the following are all true:
If there is a break in a zone's chain of trust, a validating server must have a trust anchor manually configured in order to perform validation for the zone. In the example above, if the only thing missing were a secure delegation from the com zone to the testdomain.com zone (perhaps because an administrator neglected to create the corresponding DS record), a validating server could perform validation for the secure.testdomain.com zone if it had a trust anchor for either testdomain.com or secure.testdomain.com.
In Windows Server 2012, trust anchors can be imported from a file or manually created by obtaining and entering the relevant information. Importing from a file is the simpler method but is only possible when you have control over the server hosting the zone for which a trust anchor is needed, as you must first export that zone's trust anchor to a file before it can be imported on the validating server. This procedure is covered in How to Export a DNSSEC Trust Anchor in Windows Server 2012.
It is not possible to export a trust anchor from a server over which you have no control; in this case, the trust anchor must be created manually using data that can be retrieved from DNS: the name of the zone, its public key, and the algorithm used in the key's generation. This procedure is detailed in How to Add a DNSSEC Trust Anchor for a Remote Zone in Windows Server 2012.
Article ID: SLN290769
Last Date Modified: 10/07/2014 12:14 PM
Thank you for your feedback.