The Domain Name System Security Extensions (DNSSEC) is using public key cryptography to increase the security during user requesting IP address for a server for the DNS name space. It allows DNS zone to be digitally singed to protects it from attacks and improve the security of the DNS environment.
In the DNSSEC, it involves a trust anchors which is authoritative that store the public key. Also involve a authoritative server that contain the master set of DNS data which will be updated when there is any changes. And a non-authoritative sever is a cache server so the data may not be updated.
In the lab, before any configuration of the DNSSEC a DNS is required. So, I have used DNS manager to create a DNS zone which can be connected by any client. Using these as a foundation, by power shell we can resolve the IP address by the DNS name space. The output is simple in the stage because we have not setup any security at this moment, the result is just an IP address without any security like signed time or signature.
First, I have used DNS Manager to create zone, sample resource record and nonauthoritative DNS server for later use.
Next, a detail setting of DNSSEC is start by singing the zone to DNSSEC. It includes the default setting of the signing option and it produced lot of files for security such as RR signature and DNS KEY. The setup of the DNSSEC is in the trust anchor (TA) which means that all files need to be share to the Non-Authoritative DNS which I have created previously.
After sharing, both computers contain the secure file for DNSSEC which located in the ‘Trust Points’ folder under the servers.
Now, query of the DNSSEC show the DNSSEC information specific of the key information. However the DNSSEC validation is not yet required now.
To validate the DNS require a public key which store in the DNSKEY resource file and turn on the validation can be done by configure the support for DNSSEC in GPO.
After that, using the same command shown below:
Get-DnsClientNrptPolicy
The validation required state will change to Ture.
Other continuation of the DNSSEC is unsign the secure zone for example change the security causing the mismatch of the key and need to be redo. During the lab, using the DNS manager I have unsigned the zone by a simple step.
Albert's blog 