Requirements for implementing DNSSEC in Windows Server 2012

Requirements for implementing DNSSEC in Windows Server 2012

This article provides information on the requirements for implementing DNS Security Extensions (DNSSEC) in Windows Server 2012 and 2012 R2

For general information on DNSSEC, see Introduction to DNS Security Extensions (DNSSEC).
For information on the DNS records used in a DNSSEC-signed zone, see DNS Records Associated with DNSSEC.

In Windows Server 2008 R2, a DNS zone could only be signed using a series of lengthy Dnscmd.exe commands. Active Directory-integrated zones had to first be exported to a file, and dynamic updates to a zone were no longer possible after signing. Any change to the data in the zone meant that the zone had to be manually re-signed.

Windows Server 2012 introduces many DNSSEC-related improvements. Active Directory-integrated zones can now be signed, and dynamic updates are allowed on signed zones. Also, the Zone Signing Wizard, accessible through DNS Manager, provides a graphical interface for the zone-signing process. There are a few requirements and recommendations to be aware of before implementing DNSSEC in your environment. These are listed below:

DNSSEC Requirements in Windows Server 2012 and 2012 R2

  • The DNS Server role must be installed.
  • It is recommended that the DNS server have a static IP address. This isn't absolutely necessary - a DHCP reservation will work also - but it is important that the IP address of the DNS server remain constant.
  • The DNS server can be a domain controller, domain member, or standalone server. Only domain controllers can host Active Directory-integrated zones, but domain members and standalone servers can be secondary servers for Active Directory-integrated zones as long as zone transfers are correctly configured.
  • It is recommended that only servers running Windows Server 2012 or later be used to host signed DNS zones. The Windows Server 2012 implementation of DNSSEC is not fully compatible with the version in Windows Server 2008 R2. For example, zones signed in Windows Server 2012 will be loaded as unsigned zones in Windows Server 2008 R2. This includes Active Directory-integrated zones in environments with domain controllers running both versions of Windows.
  • The DNS server must support Extension Mechanisms for DNS (EDNS0). Windows Server 2012 and 2012 R2 both support this, but the network infrastructure may not by default. For example, some routers and firewalls may need to be configured to allow UDP packets larger than 512 bytes.
  • For each signed zone, one DNS server must be designated as the Key Master. This server must be a primary authoritative server for the zone to be signed, and a single server can be the Key Master of multiple zones. The Key Master is responsible for generating and managing the keys associated with DNSSEC and performing the actual signing of the zone. Therefore, it must be able to handle the processor and memory requirements of cryptographic operations. For more information, see DNSSEC Performance Considerations.

Assuming these requirements are met, you may proceed with signing a zone. This procedure is detailed in How to Sign a DNS Zone in Windows Server 2012.

Quick Tips content is self-published by the Dell Support Professionals who resolve issues daily. In order to achieve a speedy publication, Quick Tips may represent only partial solutions or work-arounds that are still in development or pending further proof of successfully resolving an issue. As such Quick Tips have not been reviewed, validated or approved by Dell and should be used with appropriate caution. Dell shall not be liable for any loss, including but not limited to loss of data, loss of profit or loss of revenue, which customers may incur by following any procedure or advice set out in the Quick Tips.

文章 ID: SLN290529

上次修改日期: 10/06/2014 12:19 PM