Because DNS is often subject to man-in-the-middle, spoofing, and cache-poisoning attacks that are hard to defend against, the DNS server and client in Windows Server® 2008 R2 introduce support for Domain Name System Security Extensions (DNSSEC). In short, DNSSEC allows for a DNS zone and all the records in the zone to be cryptographically signed. When a DNS server hosting a signed zone receives a query, it returns the digital signatures in addition to the records queried for. A resolver or another server can obtain the public key of the public/private key pair and validate that the responses are authentic and have not been tampered with. In order to do so, the resolver or server must be configured with a trust anchor for the signed zone, or for a parent of the signed zone.

The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035 and add origin authority, data integrity, and authenticated denial of existence to DNS. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC, and DS) to DNS.

The following changes are available in DNS server in Windows Server 2008 R2:

  • Ability to sign a zone and host signed zones.

  • Support for changes to the DNSSEC protocol.

  • Support for DNSKEY, RRSIG, NSEC, and DS resource records.

The following changes are available in DNS client in Windows Server 2008 R2:

  • Ability to indicate knowledge of DNSSEC in queries.

  • Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.

  • Ability to check whether the DNS server with which it communicated has performed validation on the client’s behalf.

The DNS client’s behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client’s behavior. The NRPT is typically managed through Group Policy.

Additional references