Term
|
Definition
| DNSSEC uses digital signatures and cryptographic keys to validate that DNS responses are authentic. |
|
|
Term
|
Definition
| Signatures generated with DNSSEC are contained within the DNS zone itself in the new resource records. These new resource records are called RRSIG (resource record signature) records. When a resolver issues a query for a name, the RRSIG record is returned in the response. A public cryptographic key called a DNSKEY is needed to verify the signature. The DNSKEY is retrieved by a DNS server during the validation process. |
|
|
Term
|
Definition
| When you sign a zone with DNSSEC, you are individually signing all the records contained in the zone. This makes it possible to add, modify, or delete records in the zone without re-signing the entire zone. It is only necessary to re-sign the updated records. |
|
|
Term
| What is "Authenticated Denial of Existance"? |
|
Definition
What if a DNS query is for a record that does not exist? If the DNS server responds that no record was found, this response also needs to be validated as authentic. However, since there is no resource record, then there is no RRSIG record. The answer to this problem is the Next Secure (NSEC) record. NSEC records create a chain of links between signed resource records. To create NSEC records, the zone is sorted and NSEC records are created such that each NSEC record has a pointer to the next NSEC record. The last NSEC record points back to the first record. When a query is submitted for a nonexistent record, the DNS server returns the NSEC record prior to where the nonexistent record would have been in the order. This allows for something called authenticated denial of existence.
NSEC3 is a replacement or alternative to NSEC that has the additional benefit of preventing “zone walking” which is the process of repeating NSEC queries in order to retrieve all the names in a zone. A DNS server running Windows Server® 2012 supports both NSEC and NSEC3. A zone can be signed with either NSEC or NSEC3, but not both. |
|
|
Term
| What is a "Trust Anchor"? |
|
Definition
| A trust anchor is a preconfigured public key associated with a specific zone. A validating DNS server must be configured with one or more trust anchors in order to perform validation. If the DNS server is running on a domain controller, trust anchors are stored in the forest directory partition in Active Directory Domain Services (AD DS) and can be replicated to all domain controllers in the forest. On standalone DNS servers, trust anchors are stored in a file named TrustAnchors.dns. A DNS server running Windows Server 2012 also displays configured trust anchors in the DNS Manager console tree in the Trust Points container. You can also use Windows PowerShell or Dnscmd.exe to view trust anchors. |
|
|
Term
| Which O/S's are the "DNSSEC Aware Clients"? |
|
Definition
| In Windows 8 and Windows Server 2012 the DNS Client service continues to be non-validating and security-aware, the same as computers running Windows 7 and Windows Server® 2008 R2. When the DNS client issues a query, it can indicate to the DNS server that it understands DNSSEC. However, the client is non-validating. When issuing queries, the DNS client relies on the local DNS server to indicate that validation was successful. If the server fails to perform validation, or reports that validation was unsuccessful, the DNS Client service can be configured to return no results. |
|
|
Term
| Which O/S's are the "DNSSEC Aware Clients"? |
|
Definition
| In Windows 8 and Windows Server 2012 the DNS Client service continues to be non-validating and security-aware, the same as computers running Windows 7 and Windows Server® 2008 R2. When the DNS client issues a query, it can indicate to the DNS server that it understands DNSSEC. However, the client is non-validating. When issuing queries, the DNS client relies on the local DNS server to indicate that validation was successful. If the server fails to perform validation, or reports that validation was unsuccessful, the DNS Client service can be configured to return no results. |
|
|
Term
| What is the "Name Resolution Policy Table (NRPT)? |
|
Definition
The Name Resolution Policy Table (NRPT) is a table that contains rules you can configure to specify DNS settings or special behavior for names or namespaces. The NRPT can be configured using Group Policy or by using the Windows Registry.
When performing DNS name resolution, the DNS Client service checks the NRPT before sending a DNS query. If a DNS query or response matches an entry in the NRPT, it is handled according to settings in the policy. Queries and responses that do not match an NRPT entry are processed normally. You can use the NRPT to require that the DNS Client service perform DNSSEC validation of DNS responses for the namespaces that you specify. |
|
|
Term
| For DNSSEC lab instructions see: "Step-by-Step: Demonstrate DNSSEC in a Test Lab" at this URL: |
|
Definition
| http://technet.microsoft.com/library/hh831411.aspx |
|
|
