Export (0) Print
Expand All

Identify Signing Computers

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

TipTip
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The deployment of DNSSEC on DNS servers begins with the generation of cryptographic keys. Public and private keys are generated and stored on two computers that you identify. Private DNSSEC signing keys must be kept in a secure location, whereas public signing keys do not have this requirement.

ImportantImportant
The generation of keys, the storing of the private key and the signing of zones should be performed on a computer that is physically secure and whose access is restricted to essential personnel only.

Identify two computers to be used for key signing and storage. The following are requirements for these computers:

  1. Secure signing computer. The secure signing computer must be accessible to essential trusted personnel only. This computer will be used to generate keys and sign zones. The secure signing computer must be running Windows Server® 2008 R2, with the DNS server role installed. It does not have to be a domain controller or a member server in a domain.

  2. Secure backup computer. The secure backup computer must be accessible to essential trusted personnel only. This computer will be used to store a backup copy of the private key that is generated on the secure signing computer. The backup computer does not have to be a DNS server.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft