DNS Security Extensions

Applies To: Windows Server 2008 R2

DNS clients running Windows 7 and Windows Server 2008 R2 and DNS servers running Windows Server 2008 R2 support DNS Security Extensions (DNSSEC) to validate the integrity of DNS records as per Request For Comments (RFCs) 4033, 4034 and 4035. By validating that a DNS record was generated by the authoritative DNS server and that the DNS record has not been modified, computers running Windows 7 and Windows Server 2008 R2 can validate the integrity of DNS responses.

With DNSSEC, authoritative DNS servers running Windows Server 2008 R2 that support DNSSEC will cryptographically sign a DNS zone to generate digital signatures for all the resource records in the zone. Other DNS servers can use a trust anchor to verify that a DNS record was signed by the authoritative DNS server and that it has not been modified.

While DNS servers perform the validation of DNS records, DNS clients running Windows 7 are DNSSEC-aware. A DNS client running Windows 7 relies on its local DNS server for DNSSEC validation and can check whether validation has been successfully performed on the responses before returning the results of the query to an application.

Figure 5 illustrates how IPsec and DNSSEC can provide an end-to-end DNSSEC solution to validate a DNS request that must traverse multiple levels of DNS servers. For example, the client computer could be located at a branch office and configured to use IPsec to connect to a local, non-authoritative DNS server running Windows Server 2008 R2. The local DNS server can forward requests to the domain’s authoritative DNS server, use DNSSEC to verify the integrity of internal DNS records (even if there are multiple interim DNS servers), and inform the client that DNSSEC was used to validate the records.

Figure 5   DNSSEC can prevent man-in-the-middle attacks

For more information about DNSSEC, see What’s New in DNS.