Identify Signing Computers

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The deployment of DNSSEC on DNS servers begins with the generation of cryptographic keys. Public and private keys are generated and stored on two computers that you identify. Private DNSSEC signing keys must be kept in a secure location, whereas public signing keys do not have this requirement.

Important

The generation of keys, the storing of the private key and the signing of zones should be performed on a computer that is physically secure and whose access is restricted to essential personnel only.

Identifying signing computers

Identify two computers to be used for key signing and storage. The following are requirements for these computers:

  1. Secure signing computer. The secure signing computer must be accessible to essential trusted personnel only. This computer will be used to generate keys and sign zones. The secure signing computer must be running Windows Server® 2008 R2, with the DNS server role installed. It does not have to be a domain controller or a member server in a domain.

  2. Secure backup computer. The secure backup computer must be accessible to essential trusted personnel only. This computer will be used to store a backup copy of the private key that is generated on the secure signing computer. The backup computer does not have to be a DNS server.

See Also

Concepts

Checklist: Preparing to Deploy DNSSEC
Back Up Private Keys