DNSSEC: Sign a DNS Zone with Windows Server


DNSSEC (Domain Name System Security Extensions) is an extension of the DNS protocol that adds security to the DNS protocol by signing the records by a public / private key system.

This extension allows the client to verify that the response received is valid and has not been changed by a man-in-the-middle attack.

This extension is standardized by the following RCF :

To illustrate this tutorial, we are going to have how to sign a zone on domain controller.

Sign a zone with DNSSEC on Windows Server

Open the DNS Manager console and go to the Forward Lookup Zones 1 node. It can be seen that the DNSSEC state of the lab.intra zone is Unsigned 2 .
Zones overview

Right-click on the zone to sign 1 , go to DNSSEC 2 then click on Sign zone 3 to launch the wizard.
Param DNSSEC for zone

When launching the wizard, click Next 1 .
Wizard DNSSEC configuration

Choose the option Customize zone signature settings 1 and click Next 2 .
DNSSEC signature options

Choose the server to put keys 1 and click Next 2 .
Master of keys for DNSSEC

A summary of the KSK key is displayed (this is used to sign a zone), click on Next 1 .
KSK key

Click on Add 1 .
Wizard DNSSEC add KSK

Click OK 1 to validate the parameters of the KSK key.
Params key KSK

KSK key is added 1 click Next 2 .
Key KSK added

A summary of the ZSK key (data / record signature) is displayed, click Next 1 .

Click Add 1 to configure the ZSK key.
Add ZSK key

Click OK 1 to validate the parameters of the ZSK key.
DNSSEC - key ZSK param

The key ZSK is added 1 , click Next 2 .
DNSSEC - key ZSK added

Select the protocol NSEC3 1 then click Next 2 .
DNSSEC - select NSEC3

Leave the default options on the configuration of the approval anchors, click Next 1 .
Anchor config

Leave the signature settings by default, click Next 1 .
DNSSEC - param signature

A summary of the DNSSEC configuration is displayed, click Next 1 to validate it.
Summary config dnssec

The configuration applied to the zone, leave the wizard by clicking Close 1 .
signed zone

Refresh the zone in the DNS Manager console, we see that a padlock has been added to the zone folder to indicate that the zone is singed with DNSSEC and several RRSIG, DNSKEY, NSEC3 … records have been added. Each record contains its signature with an RRSIG record of the same name.
DNSSEC - zone DNSSEC - zone


On a DNS client node, open a PowerShell command prompt and enter the following command:

The DNS server returned a “normal” response, without any signing information.

To force a query and especially a secure response, add the -DnssecOK parameter to the previous command.

We can see the signature parameters in the answer.

Group Policy for a DNSSEC Resolution

As we have just seen, to recover a secure record, it is necessary to inform Windows to do so. In order for the extensions in the domain to use DNSSEC, we will add a Group Policy that will configure the NRPT (Name Resolution Policy) table of the computers to indicate that the zone is signed.

On a domain controller, open the Group Policy Management console, right-click on domain 1 and click Create GPO in this domain and link it here 2 .

Name the GPO 1 then click OK 2 .
Nammed GPO for DNSSEC

Right click on the added strategy 1 and click on Edit 2 .Edit GPO

Go to Computer Configuration / Windows Settings / Name Resolution Policy 1 . Enter the DNS suffix of the signed area 2 , check that the Enable DNSSEC in this rule 3 and Ask DNS clients to verify address name data check boxes have been validated by the DNS server 4 are ticked and click on Create 5 .

The domain has been at the name resolution strategy table 1 , click Apply 2 .
zone added

Summary of the strategy:

On a node in the domain where the policy is applied (gpupdate), open a PowerShell command prompt and enter the following command:

The command must return the IP address with the signature information.
DNSSEC resolve name

Related Posts

DNS: conditional forwarder

Presentation of conditional forwarderSetting a conditional forwarder Presentation of conditional forwarder In this article, I will explain and show you how to set up a conditional forwarder on a Windo

DNS configuration of a redirector

Table Of ContentsPresentationConfigure a DNS forwarder Presentation When setting up a DNS server on Windows Server, it may be necessary to configure one or more DNS forwarders to public servers to res

Sophos XG: routing DNS queries

Presentation The routing of DNS queries is similar to a conditional redirector under Windows, which allows to indicate for a DNS zone the server or servers to contact to resolve a record. This type of