DNSSEC (Domain Name System Security Extensions) is an extension of the DNS protocol that adds security to the DNS protocol by signing the records by a public / private key system.
This extension allows the client to verify that the response received is valid and has not been changed by a man-in-the-middle attack.
This extension is standardized by the following RCF :
To illustrate this tutorial, we are going to have how to sign a zone on domain controller.
Sign a zone with DNSSEC on Windows Server
Refresh the zone in the DNS Manager console, we see that a padlock has been added to the zone folder to indicate that the zone is singed with DNSSEC and several RRSIG, DNSKEY, NSEC3 … records have been added. Each record contains its signature with an RRSIG record of the same name.
On a DNS client node, open a PowerShell command prompt and enter the following command:
Resolve-DnsName <RecordInZone> -Server <DNSServer>
To force a query and especially a secure response, add the -DnssecOK parameter to the previous command.
Resolve-DnsName <RecordInZone> -Server <DNSServer> -DnssecOK
Group Policy for a DNSSEC Resolution
As we have just seen, to recover a secure record, it is necessary to inform Windows to do so. In order for the extensions in the domain to use DNSSEC, we will add a Group Policy that will configure the NRPT (Name Resolution Policy) table of the computers to indicate that the zone is signed.
Go to Computer Configuration / Windows Settings / Name Resolution Policy 1 . Enter the DNS suffix of the signed area 2 , check that the Enable DNSSEC in this rule 3 and Ask DNS clients to verify address name data check boxes have been validated by the DNS server 4 are ticked and click on Create 5 .
On a node in the domain where the policy is applied (gpupdate), open a PowerShell command prompt and enter the following command: