DNSSEC

DNSSEC is a security setting for DNS that enables all DNS records in a zone to be digitally signed by a trust anchor which validates DNSKEY resource records. Root and top-level domain zones already have trust anchors configured and merely have to have it enabled.

To implement trust anchors:

• A TrustAnchors zone must be created, which will store public keys associated with specific zones. A trust anchor from the secured zone must be created on every DNS server that hosts the zone.
• A Name Resolution Policy Table (NRPT) GPO must be created (Windows Settings\Name Resolution Policy) This option can require DNSSEC based on computer name prefix or suffix, FQDN, or subnet.
• DNSSEC key master is a special DNS server that generates and manages signing keys for DNSSEC protected zones. DANE allows you to publish certificate information within the DNS zone, rather than one of the thousands of trusted CAs. This protects against rogue/compromised CAs issuing illegitimate TLS certificates.

Two cryptographic keys:

• Zone Signing Key (ZSK) signs zone data including individual resource records other than DNSKEY. It is also used to create the KSK.
• Key Signing Key (KSK) is used to sign all DNSKEY records at the zone root.

DNSSEC record types:

• RRSIG "resource record signature" each of which matches and provides a signature for an existing record in a zone
• NSEC proves nonexistence of a record
• NSEC3 NSEC replacement that prevents zone walking
• NSEC3PARAM specifies the NSEC3 records included in response for DNS names that don't exist
• DNSKEY stores public key used to verify a signature
• DS delegation signer records secure delegations