Implementing DNSSEC in Windows Server 2012

DNSSEC feature helps to protect DNS traffic from threats. In Server 2012, DNSSEC has been made simpler deploy and supports secure dynamic updates in Active Directory integrated zones. Windows Server 2012 supports validations of records signed with updated DNSSEC standards (NSEC3 and RSA/SHA-2 standards). Previously, you could not sign records with NSEC3 and RSA/SHA-2.

1. Open Server Manager and then Click DNS Manager.


2. In the DNS Manager console, Select DNSSEC and then select Sign The Zone.


3. click Next.


4. Select Customize Zone Signing Parameters and then Click Next.


5. Select one DNS server as the key master for the zone. The key master is responsible for generating new signing keys.


6. Click Next.


7. On the key signing key page, Click Add.


8. Click Ok.

dnssec 8

9. Click Next.


10. On zone signing key, Click Next.

dnssec 10

11. On the Zone Signing Key page, Click Add to configure a ZSK.

dnssec 11

12. Click Ok.

dnssec 12

13. Click Next.

dnssec 13

14. Select NSEC3 resource record rather than the older NSEC resource record for authenticated denial of existence.

dnssec 14

15. By default, trust anchors are updated automatically.You also can enable the distribution of trust anchors for the zone.

dnssec 15

16. For signing and polling, SHA-1 and SHA-256 are the default algorithms used. Click Next.

dnssec 16

17. Click Next.

dnssec 17

18. After the wizard signs the zone, click Finish.


dnssec 19

dnssec 20


Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.