Deploying DNSSEC

سبتمبر 20, 2017  Unknown  لا يوجد تعليقات

 
To deploy DNSSEC:
1. Install Windows Server 2012, and assign the DNS role to the server. Typically, a domain controller also acts as the DNS server. However, this is not a requirement.
2. Sign the DNS zone by using the DNSSEC Configuration Wizard, which is located in the DNS console.
3. Configure trust anchor distribution points.
4. Configure the NRPT on the client computers.
 
Assigning the DNS Server Role
To assign the DNS server role, in the Server Manager Dashboard, use the Add Roles and Features Wizard. You can also add this role can when you add the AD DS role. Then configure the primary zones on the DNS server. After a zone is signed, any new DNS servers in Windows Server 2012 automatically receive the DNSSEC parameters.
Signing the Zone
The following signing options are available:
Configure the zone signing parameters. This option guides you through the steps and enables you to set all values for the key signing key (KSK) and the zone signing key (ZSK).
Sign the zone with parameters of an existing zone. This option enables you to keep the same values and options that are set in another signed zone.
Use recommended settings. This option signs the zone by using the default values.
 
Note: Zones can also be unsigned by using the DNSSEC management user interface to remove zone signatures.
Configuring Trust Anchor Distribution Points
If the zone is Active Directory-integrated, and if all domain controllers are running Windows Server 2012, you can select to distribute the trust anchors to all the servers in the forest. Make this selection with caution because the wizard turns on DNSSEC validation. If you enable DNS trust anchors without thorough testing, you could cause DNS outages. If trust anchors are required on computers that are not domain joined—for example, a DNS server in the perimeter network (also known as screened subnet)— then you should enable automated key rollover.
Note: A key rollover is the act of replacing one key pair with another at the end of a key’s effective period.
Configuring NRPT on Client Computers
The DNS client computer only performs DNSSEC validation on domain names where the NRPT has configured the DNS client computer to do so. A client computer that is running Windows 7 is DNSSEC-aware, but it does not perform validation. Instead, it relies on the security-aware DNS server to perform validation on its behalf.

منشورة في:

0 التعليقات:

إرسال تعليق