DNSSEC in Windows


Updated: February 11, 2014

Applies To: Windows Server 2012 R2, Windows Server 2012

Support for Domain Name System Security Extensions (DNSSEC) in Windows Server 2012 and Windows Server 2012 R2 is significantly enhanced in comparison to previous versions of Windows. See the following topics for more information:

  • DNS Servers: Support for DNSSEC-signed zones on primary, authoritative DNS servers was added with Windows Server 2008 R2. However, support in Windows Server 2008 R2 was limited to offline signing of static zones and standards such as NSEC3 and RSA/SHA-2 were not supported. DNSSEC support is enhanced significantly in Windows Server 2012 and later operating systems.

  • DNS Clients: The DNS Client service in Windows 7 and later operating systems is DNSSEC-aware. Previous operating systems were not DNSSEC-aware. Operating systems that are DNSSEC aware can be configured to require DNSSEC validation.

  • DNS Zones: Signing a zone with DNSSEC protects it from spoofing attacks. Before you can sign a zone with DNSSEC, you must specify several DNSSEC options and parameters. You can specify zone signing parameters and sign a zone with Windows PowerShell, or you can use the Zone Signing Wizard that is provided in the DNS Manager console.

  • Trust Anchors: A trust anchor is a public cryptographic key that enables a DNS server to validate DNS responses in a namespace as genuine. If a DNS server has a trust anchor, it automatically attempts to validate DNS responses for that namespace. Trust anchors must be updated each time that a zone is signed.

  • The NRPT: The Name Resolution Policy Table (NRPT) is a table of namespaces and corresponding settings that are stored in the Windows registry. The registry determines the DNS client’s behavior when issuing queries and processing responses. You can use the NRPT to configure security-aware DNS clients to require validation of DNS responses.