Server 2012 : Setup DNSSEC (Domain Name System Security Extensions)

Server 2012 has DNSSEC (Domain Name System Security Extensions) functioning enabled as default, but needs some setting up.

In this post:

  1. Verify DNSSEC function is on
  2. Sign our Zone using with DNSSEC
    • Key Signing Key (KSK)
    • Zone Signing keys (ZSK)
    • Next Secure (NSEC)
    • Signing and Polling Parameters
  3. Wrapping up
    • New Zone entries.
    • Trust Points
    • Change/view settings.

Verify DNSSEC function is turned on:

  1. Opening your DNS Manager by typing DNS in start or run dnsmgmt.msc, and right-click server name and choose Properties.
  2. Pick the Advanced tab and take note of the state of Enable DNSSEC validation for remote responsens. It is enabled as default. Click OK/Cancel to exit Properties.

Sign our Zone using with DNSSEC

  1. Right-click the Zone you want to sign, and choose DNSSECSign the Zone.
    Also note the Not Signed status of the Zones.
  2. Click Next when you have read about DNSSEC.
    You can choose the Use default settings to sign this zone, which is perfectly ok, but we are going to use the Customize zone signing parameters and click Next >
    04-dnssec 05-dnssec
    Continues below…

Key Signing Key (KSK)

  1. Select wheter or not the current server is the Key Master, which it is in my case. Click Next >
    Read about the Key Signing Key (KSK) an select Next >
    06-dnssec 07-dnssec
  2. Click Add on the Key Signing Key configuration window.
  3. Key Generation: We want to Generate new signing keys.
    Key Properties: The stronger the algorithm, the stronger encryption. Before choosing, you should be sure about compatibility.
    I’m choosing: RSA/SHA-512 – Default Key lenght 2048, default storage provider and default validity period.
    Key Rollover: I’m keeping everthing at default.
    Don’t worry about hwo the Guid is looking. It will change once we actually create the KSK.
    Click OK when done.
  4. Review your choices and click Next >

Zone Signing Keys (ZSK)

  1. Read about the Zone Signing Key (ZSK) and click Next > to configure the Zone Signing Keys (ZSK)
  2. Click Add on the Zone Signing Key configuration window
  3. I’m setting:
    Cryptographic algorithm to RSA/SHA-512 and
    Key Lenght (Bits) to 2048 and keep everything else at default.
    Once Again, select what fits your environment the best.
    Click OK
  4. Review your choices and click Next >

Next Secure (NSEC)

  1.  In Next Secure (NSEC) window, choose the default Use NSEC3 unless you have a specific reason to use NSEC which is much less secure.
  2. Trust Anchors (TAs)
    I’m selecting Enable the distribution of trust anchors for this zone and keeps the Enable Automatic update of…
    Read what it is, and make an educated selection. Click Next >

Signing and Polling Parameters

  1.  In DS record generation algorithm I’m choosing SHA-384 as I have a very small DNS zone and want the security.
    Just notice how it takes longer to load the DNS entries when the DNS Server is starting up/restarting. It needs to generate this at each reboot, and the DNS server will stay offline untill it is done.
    Also be sure about compatibility.
    I’m keeping everything else on default and click Next >
  2. Review your configuration settings and click Next > to sign our Zone.

Wrapping up:

After refreshing the window, notice the little padlocks on our now-signed Zone.
Also notice DNSSEC status and the Key Master column

New Zone entries.

When looking in the now-signed zone, you can see how a lot of new entries has been generated.


Trust Points

After refreshing the Trust Points ‘folder’ you will also find a new Trust Point has been added in accordance with the Zone we just signed and added a Trust Point for.

Change/view settings.

By right-clicking your Zone – selecting DNSSEC and Properties you can see all the settings we just configured.

You can follow the next post on Setup DNS trust points between Domains in order to read about Trust Points and how to export these.

Posted in DNS, Server 2012

Leave a Reply