Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

Identify Zones for DNSSEC

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Before you deploy DNSSEC, you must identify the DNS zones that must be secured.

ImportantImportant
When deploying DNSSEC for the first time, limit the size and scope of your deployment to a static zone and a small number of clients and servers. Expand your deployment gradually as you become more familiar with issues and requirements associated with the technology.

Consider the following factors when identifying zones that you wish to protect with DNSSEC.

  • Once a zone is signed, it will no longer be able to receive dynamic updates.

  • Signing of an Active Directory (AD) integrated domain zone will require the manual update of all SRV records and other resource records. To sign an AD-integrated zone, it must first be converted to a file-backed zone.

  • All authoritative DNS servers that host a signed zone must first be upgraded to use Windows Server® 2008 R2.

If you do not have an existing zone that is suitable to use in your DNSSEC deployment, you can create a new zone that contains only those resource records that you choose to protect. A new DNSSEC-protected zone can be deployed using the following steps:

  1. Identify a list of names that can be added to a static zone. Typically servers that host applications, file shares, and databases are configured with static IP addresses that can be added to a static DNS zone.

  2. Identify the DNS servers that will host or resolve names in the zone. See DNSSEC Deployment Planning for operating system considerations.

  3. Create a new zone on your DNS servers that can be located by client computers with the suffix search list. For example, if your domain is woodgrovebank.com, you can create a zone named secure.woodgrovebank.com.

  4. Add the list of static records to the zone.

  5. Sign the zone and distribute trust anchors.

  6. Configure and deploy NRPT settings for the zone.

  7. Verify clients can resolve names in the zone using the fully qualified domain name (FQDN).

  8. Add the new domain suffix to the suffix search list on client computers.

  9. Delete the original static records from previous zones.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.