Configure DNSSEC

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2

You can use the following procedure to modify the configuration of Domain Name System (DNS) Security Extensions (DNSSEC). The value of the registry entry EnableDnsSec determines whether the DNS server includes or excludes DNSSEC resource records when it receives queries.

Warning

It is recommended that you do not directly edit the registry unless there is no other alternative. Modifications to the registry are not validated by the registry editor or by Windows before they are applied, and as a result, incorrect values can be stored. This can result in unrecoverable errors in the system. When possible, use Group Policy or other Windows tools, such as Microsoft Management Console (MMC), to accomplish tasks rather than editing the registry directly. If you must edit the registry, use extreme caution.

Administrative credentials

To perform this procedure, you must be a member of the Administrators group on the local computer, or you must have been delegated the appropriate authority. If the computer is joined to a domain, members of the Domain Admins group might be able to perform this procedure. As a security best practice, consider using the Run as command to perform this procedure.

To configure DNSSEC

  1. Open Registry Editor.

  2. In Registry Editor, navigate to the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters

  3. Add the following DWORD entry:

    EnableDnsSec

  4. Do one of the following:

    • To exclude DNSSEC resource records in query responses other than responses to requests for SIG, KEY or NXT resource records, assign a value of 0x0. Appropriate resource records will be included in responses to requests for SIG, KEY, or NXT resource records only.

    • To include the DNSSEC resource records in all query responses (according to RFC 2535), assign a value of 0x2.

    • To include DNSSEC resource records only in cases where the original client query contained the OPT resource record (according to RFC 2671), assign a value of 0x1, or do not create the value at all. The DNS server behaves the same if the value is 0x1 or if the entry does not appear in the registry.

Note

To open Registry Editor, click Start, click Run, type regedit, and then click OK.