DNSSEC: Sign a DNS Zone with Windows Server


Windows Server 2019

DNSSEC (Domain Name System Security Extensions) is an extension of the DNS protocol that adds security to the DNS protocol by signing the records by a public / private key system.

This extension allows the client to verify that the response received is valid and has not been changed by a man-in-the-middle attack.

This extension is standardized by the following RCF :

To illustrate this tutorial, we are going to have how to sign a zone on domain controller.

Sign a zone with DNSSEC on Windows Server

Open the DNS Manager console and go to the Forward Lookup Zones 1 node. It can be seen that the DNSSEC state of the lab.intra zone is Unsigned 2 .

Zones overview

Right-click on the zone to sign 1 , go to DNSSEC 2 then click on Sign zone 3 to launch the wizard.

Param DNSSEC for zone

When launching the wizard, click Next 1 .

Wizard DNSSEC configuration

Choose the option Customize zone signature settings 1 and click Next 2 .

DNSSEC signature options

Choose the server to put keys 1 and click Next 2 .

Master of keys for DNSSEC

A summary of the KSK key is displayed (this is used to sign a zone), click on Next 1 .

KSK key

Click on Add 1 .

Wizard DNSSEC add KSK

Click OK 1 to validate the parameters of the KSK key.

Params key KSK

KSK key is added 1 click Next 2 .

Key KSK added

A summary of the ZSK key (data / record signature) is displayed, click Next 1 .

DNSSEC - key ZSK

Click Add 1 to configure the ZSK key.

Add ZSK key

Click OK 1 to validate the parameters of the ZSK key.

DNSSEC - key ZSK param

The key ZSK is added 1 , click Next 2 .

DNSSEC - key ZSK added

Select the protocol NSEC3 1 then click Next 2 .

DNSSEC - select NSEC3

Leave the default options on the configuration of the approval anchors, click Next 1 .

Anchor config

Leave the signature settings by default, click Next 1 .

DNSSEC - param signature

A summary of the DNSSEC configuration is displayed, click Next 1 to validate it.

Summary config dnssec

The configuration applied to the zone, leave the wizard by clicking Close 1 .

signed zone

Refresh the zone in the DNS Manager console, we see that a padlock has been added to the zone folder to indicate that the zone is singed with DNSSEC and several RRSIG, DNSKEY, NSEC3 … records have been added. Each record contains its signature with an RRSIG record of the same name.

Use DNSSEC

On a DNS client node, open a PowerShell command prompt and enter the following command:

Resolve-DnsName  -Server 
resolver-dnsname

The DNS server returned a “normal” response, without any signing information.

To force a query and especially a secure response, add the -DnssecOK parameter to the previous command.

Resolve-DnsName  -Server  -DnssecOK
resolver-dnsname

We can see the signature parameters in the answer.

Group Policy for a DNSSEC Resolution

As we have just seen, to recover a secure record, it is necessary to inform Windows to do so. In order for the extensions in the domain to use DNSSEC, we will add a Group Policy that will configure the NRPT (Name Resolution Policy) table of the computers to indicate that the zone is signed.

On a domain controller, open the Group Policy Management console, right-click on domain 1 and click Create GPO in this domain and link it here 2 .

New GPO

Name the GPO 1 then click OK 2 .

Nammed GPO for DNSSEC


Right click on the added strategy 1 and click on Edit 2 .

Edit GPO



Go to Computer Configuration / Windows Settings / Name Resolution Policy 1 . Enter the DNS suffix of the signed area 2 , check that the Enable DNSSEC in this rule 3 and Ask DNS clients to verify address name data check boxes have been validated by the DNS server 4 are ticked and click on Create 5 .

Config DNSSEC


The domain has been at the name resolution strategy table 1 , click Apply 2 .

zone added


Summary of the strategy:

GPO DNSSEC Overview

On a node in the domain where the policy is applied (gpupdate), open a PowerShell command prompt and enter the following command :

Resolve-DnsName <RecordInZone>

The command must return the IP address with the signature information.

DNSSEC resolve name



Leave a Comment