Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
The security extensions made to DNS in DNSSEC (RFC 2535) offer services to perform data origin authentication and integrity checking. These services allow digital signatures to be encrypted using private keys and sent as resource records from DNS servers hosting signed (DNSSEC-compliant) zones to resolvers where the resource records can be authenticated using public keys. Both digital signatures and public keys are added to a signed zone in the form of resource records.
It is important to note that the DNSSEC extensions do not intend to protect a DNS server from security problems but are used as a method of data protection for the domain name data sent using DNS. Both private and public keys are associated with specific zones and not with DNS servers hosting those zones. If the security of DNS servers hosting those zones is breached, then the ability of resolvers to authenticate resource records from those zones remains intact and secure.
The features of DNSSEC described here, or in RFC 2535, are not fully supported in Windows Server 2003 DNS. Windows Server 2003 DNS provides "basic support" of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535. For more information, see Using DNS Security Extensions (DNSSEC).
In DNSSEC, each zone has its own public and private key used to encrypt and decrypt digital signatures. An encrypted, or secure, zone is a DNS zone that has both a private and public key. When a RRset in a zone is signed using a private key, resolvers containing the zone's public key can authenticate whether a RRset received from the zone is properly authorized.
By using the zone's private key to sign each RRset in the zone, each domain name in the zone, such as widgets.microsoft.com, has a private key. The digital signature for that RRset is added to the zone in the form of a new resource record, SIG. When a DNS server responds positively to a query for a DNS name, it replies with the requested resource records and the SIG resource record that corresponds to that name. Resolvers aware of the public key associated with the requested name receive the SIG resource record and use the public key to authenticate the resource records. The zone's public key is stored in a new resource record type, KEY. KEY resource records must be provided to the resolver before the resolver can authenticate SIG resource records.
DNSSEC verifies to a resolver that the records it has received from a secure zone actually came from the correct zone. Using DNSSEC, a resolver will verify that the IP address for the domain widgets.microsoft.com truly arrived from the only valid widgets.microsoft.com zone.
There are many special considerations in DNSSEC that use DNSSEC resource records in ways uncommon to conventional resource record use. For more information about RFC 2535, "Domain Name System Security Extensions (DNSSEC)," see DNS RFCs.