Export (0) Print
Expand All

Deploy DNSSEC with Windows Server 2012

Published: February 11, 2014

Updated: February 11, 2014

Applies To: Windows Server 2012, Windows Server 2012 R2



Use the following concepts and procedures to deploy Domain Name System Security Extensions (DNSSEC) in Windows Server 2012 or in Windows Server 2012 R2.

To deploy DNSSEC, review DNSSEC conceptual information below, and then use the DNSSEC deployment checklists that are provided in this guide.

  • Overview of DNSSEC: Provides information about how DNSSEC works.

  • DNS Servers: Describes DNSSEC support in Windows Server.

  • DNS Clients: Describes the behavior of security-aware and non-security-aware DNS clients.

  • DNS Zones: Provides information about zone signing and unsigning with Windows PowerShell or DNS Manager.

  • Trust Anchors: Describes trust anchors, which are public cryptographic keys that must be installed on DNS servers to validate DNSSEC data.

  • The NRPT: Introduces and provides details about the Name Resolution Policy Table (NRPT).

  • Why DNSSEC: Describes risks and benefits of DNSSEC.

  • Stage a DNSSEC Deployment: Provides steps and considerations to help introduce DNSSEC to your environment.

  • DNSSEC Performance Considerations: Describes the impact of zone signing on a DNS infrastructure.

  • DNSSEC Requirements: Describes the requirements for deploying DNSSEC.

 

Checklist Description

Checklist: Deploy DNSSEC

Use this parent checklist to get started deploying DNSSEC.

Checklist: Sign a Zone

Sign a DNS zone and verify DNSSEC signing.

Checklist: Distribute Trust Anchors

Export from authoritative DNS servers and import or add trust anchors to validating DNS servers.

Checklist: Deploy DNSSEC Policies to DNS Clients

Configure and verify name resolution policy.

Checklist: Review and Manage a Signed Zone

Administer your signed zone.

Checklist: Revert to an Unsigned Zone

Unsign a zone.

Checklist: Manage Signing Keys

Review and replace zone signing keys.

Checklist: Move the Key Master Role

Change the DNS server that is designated to be the Key Master.

Checklist: Reconfigure Zone Signing Parameters on a Signed Zone

Change zone signing parameters.

Checklist: Perform an Emergency Key Revocation

Unsign a zone and replace signing keys.

Checklist: Perform a Manual Key Rollover

Roll over signing keys manually and update trust anchors.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft