Using DNS Security Extensions (DNSSEC)

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

Using DNS Security Extensions (DNSSEC)

Windows Server 2003 DNS provides basic support of the DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. The current feature support allows DNS servers to perform as secondary DNS servers for existing DNSSEC-compliant, secure zones. DNS supports the storing and loading of the DNSSEC-specific resource records (RRs). Currently, a DNS server is not capable of signing zones and resource records (creating cryptographic digital signatures) or validating the SIG RRs. The DNSSEC resource records are KEY, SIG, and NXT. For more information about resource records, see Resource records reference. For more information about RFCs, see DNS RFCs.

Server support for DNSSEC

When loading a zone containing DNSSEC resource records, the DNS server loads these records along with all other types of resource records contained in the zone. When receiving a zone transfer containing DNSSEC resource records (SIG, KEY, NXT), the DNS server writes these records to the zone storage (zone data file or Active Directory) along with all other resource records.

When a DNS server receives a request or response containing DNSSEC resource records, it does not verify the digital signatures but caches the response and uses it for ensuing queries. When a DNS server receives a request for a resource record in a zone also containing DNSSEC resource records, it attaches the appropriate DNSSEC records to the response.

When a signed zone contains resource records for an owner name including a CNAME resource record for that name, the DNS server will return the DNSSEC resource records associated with the owner name and the CNAME resource record's alias name. The DNS server will not suppress the retrieval of the CNAME resource record, and it will not return a SIG resource record for the canonical name. Rather, it will return the SIG resource record for the alias name.

Client support for DNSSEC

The DNS client does not read and store a key for the trusted zone and, consequently, it does not perform any cryptography, authentication, or verification. When a resolver initiates a DNS query and the response contains DNSSEC resource records, programs running on the DNS client will return these records and cache them in the same manner as any other resource records. This is the extent to which Windows XP DNS clients support DNSSEC. When the DNS client receives the SIG RR relating to the RRset, it will not perform an additional query to obtain the associated KEY record or any other DNSSEC records.

Resolvers do not authenticate resource records by verifying the signature information contained in the SIG resource record. The DNS client does not contain any information to indicate which resource records have been authenticated or to what extent they have been authenticated.

When a resolver receives a response or performs a query operation, it does not recognize the checking disabled (CD) query header bit, which in DNSSEC indicates that the data is authenticated by the server according to its policies, or set the authentic data (AD) query header bit, which in DNSSEC indicates that nonauthenticated data is acceptable to the resolver.

For more information, see Modify DNSSEC configuration and DNSSEC overview.

Note

  • If there is a signing agent running on the DNS server running Windows Server 2003 that signs the zone resource records, this DNS server may also be used as a primary server for DNSSEC-compliant secure zones.