Hello everyone,

The Windows Server networking team has just published a comprehensive guide for deploying DNSSEC with Windows Server 2012 and Windows Server 2012 R2. Check it out here:

DNSSEC in Windows Server 2012

step by step guide for deploying and testing DNSSEC in Windows Server 2012 has been available since February of 2012, but all the details for deploying DNSSEC in a production environment are now available.

The guide covers both concepts and procedures for signing DNS zones with DNSSEC using Windows Server 2012 or Windows Server 2012 R2. Previously, you could only sign offline, static zones, but Windows Server 2012 introduced full support for online signing of zones that support dynamic updates.

Topics in the guide include:

  • An overview of DNSSEC that discusses how DNSSEC works, including a description of DNSSEC related resource records and how DNSSEC is able to validate DNS responses.
  • A summary of DNSSEC support in Windows operating systems. The summary includes information about DNS servers, zones, clients, and validation (trust anchors and name resolution policies).
  • Information to help with deployment planning, including why to deploy DNSSEC, how to deploy it in a staged manner, requirements, and performance considerations.
  • Detailed click-by-click procedures, organized into checklists, to deploy and manage DNSSEC signed zones, clients, and servers.
  • Additional information is also provided in the appendices, including a DNSSEC terminology list and a table of Windows PowerShell cmdlets for DNS Server.

If you haven't tried DNSSEC yet, you should definitely check it out. I hope you find the guide useful!

-Greg