3. Configuring a DNSSEC Zone
In this scenario, the zone companyabc.com
will be encrypted. The zone is unsecured to start and contains several
records, shown in Figure 1.
Figure 1. Unsecured DNS zone.
The DNSSEC configuration and management is done using the DNS Manager utility. To sign a DNS zone, follow these steps:
1. Launch Server Manager from a Windows 2012 server with a full GUI.
2. Select the DNS section. The list of servers in the server pool with the DNS role installed will be shown.
3. Right-click the DNS server to configure and select DNS Manager.
4. Select the DNS server name to configure.
5. Select the Forward Lookup Zones node.
6. Select the zone to sign.
7. Right-click the zone and select DNSSEC and then Sign the Zone.
8. At the Zone Signing Wizard screen, click Next.
9. Select Use recommended setting to sign the zone, then click Next.
10. Review the settings, and then click Next to sign the zone.
11. Click Finish to exit the wizard.
The zone companyabc.com is now encrypted. Figure 2 shows the zone records after encryption.
Figure 2. Encrypted zone records.
There are four records for each previous entry now:
• Standard A Record
• RR Signature (RRSIG) Record for the Standard Record
• Next Secure (NSEC) Record
• RR Signature (RRSIG) Record for the Next Secure Record
To distribute the trust anchor for the DNSSEC zone, follow these steps:
1. Launch Server Manager from a Windows 2012 server with a full GUI.
2. Select the DNS section. The list of servers in the server pool with the DNS role installed will be shown.
3. Right-click the DNS server to configure and select DNS Manager.
4. Select the DNS server name to configure.
5. Select the Forward Lookup Zones node.
6. Select the zone to sign.
7. Right-click the zone and select DNSSEC and then Properties.
8. Select the Trust Anchor tab.
9. Check the Enable the Distribution of Trust Anchors for This Zone box.
10. Click OK to save the changes.
11. Click Yes to confirm the change.
12. Click OK when the setting is complete.
After the setting, there will be a new folder
named Trust Points that contains the a pair of records for the zone of
type DNS KEY. These contain the public key for the trust anchor for the
signed zone.
Without any additional configuration, the DNS
clients blissfully ignore the DNSSEC for the zone. To have the clients
use the DNSSEC properties of the DNS zone, they must be configured to
request secure DNS entries. This is done by configuring a Name
Resolution Policy Table (NRPT) policy for clients.
The NRPT policy can be configured through
group policy. To create a NRPT group policy for the
secure.companyabc.com zone, follow these steps:
1. Launch Server Manager from a Windows 2012 server with a full GUI.
2. Select Tools and then Group Policy Management.
3. Expand Forest: companyabc.com, Domains, and select companyabc.com.
4. Right-click companyabc.com and select Create a GPO in This Domain, and Link It Here.
5. Enter NRPT Group Policy Object and click OK.
6. Right-click the NRPT Group Policy Object link and select Edit.
7. Expand Computer Configuration, Policies, Windows Settings, and select Name Resolution Policy.
8. In the To Which Part of the Namespace Does This Rule Apply? Field, select Suffix and enter companyabc.com.
9. On the DNSSEC tab, check the Enable DNSSEC in This Rule box.
10. Check the Validation box Require DNS Clients to Check That Name and Address Data Has Been Validated.
Note
The wording of this option is precise. The Windows DNS client will check that the DNS server has validated the data, but will not do the validation itself.
11. Figure 3
shows how the record should look. Click the Create button to create the
record in the Name Resolution Policy Table at the bottom of the screen.
Figure 3. Name-resolution policy.
12. Close the GPMC editor to save the changes.
Now, all domain
DNS clients will request that DNS servers check the validity of the
lookups for domain companyabc.com using DNSSEC.
