Deploy DNSSEC with Windows Server 2012
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the following concepts and procedures to deploy Domain Name System Security Extensions (DNSSEC) in Windows Server 2012 or in Windows Server 2012 R2.
Deploying DNSSEC
To deploy DNSSEC, review DNSSEC conceptual information below, and then use the DNSSEC deployment checklists that are provided in this guide.
DNSSEC concepts
Overview of DNSSEC: Provides information about how DNSSEC works.
DNS Servers: Describes DNSSEC support in Windows Server.
DNS Clients: Describes the behavior of security-aware and non-security-aware DNS clients.
DNS Zones: Provides information about zone signing and unsigning with Windows PowerShell or DNS Manager.
Trust Anchors: Describes trust anchors, which are public cryptographic keys that must be installed on DNS servers to validate DNSSEC data.
The NRPT: Introduces and provides details about the Name Resolution Policy Table (NRPT).
Why DNSSEC: Describes risks and benefits of DNSSEC.
Stage a DNSSEC Deployment: Provides steps and considerations to help introduce DNSSEC to your environment.
DNSSEC Performance Considerations: Describes the impact of zone signing on a DNS infrastructure.
DNSSEC Requirements: Describes the requirements for deploying DNSSEC.
DNSSEC deployment checklists
Checklist |
Description |
|---|---|
Use this parent checklist to get started deploying DNSSEC. |
|
Sign a DNS zone and verify DNSSEC signing. |
|
Export from authoritative DNS servers and import or add trust anchors to validating DNS servers. |
|
Configure and verify name resolution policy. |
|
Administer your signed zone. |
|
Unsign a zone. |
|
Review and replace zone signing keys. |
|
Change the DNS server that is designated to be the Key Master. |
|
Checklist: Reconfigure Zone Signing Parameters on a Signed Zone |
Change zone signing parameters. |
Unsign a zone and replace signing keys. |
|
Roll over signing keys manually and update trust anchors. |