The DNS server and client in Windows Server 2008 R2 introduce support for Domain Name System Security Extensions (DNSSEC). With Windows Server 2008 R2 DNS server, you can now sign and host DNSSEC-signed zones to provide security for your DNS infrastructure.
The following changes are available in DNS server in Windows Server 2008 R2:
- Ability to sign a zone and host signed zones.
- Support for changes to the DNSSEC protocol.
- Support for DNSKEY, RRSIG, NSEC, and DS resource records.
The following changes are available in DNS client in Windows Server 2008 R2:
- Ability to indicate knowledge of DNSSEC in queries.
- Ability to process the DNSKEY, RRSIG, NSEC, and DS resource records.
- Ability to check whether the DNS server with which it communicated has performed validation on the client's behalf.
The DNS client's behavior with respect to DNSSEC is controlled through the Name Resolution Policy Table (NRPT), which stores settings that define the DNS client's behavior. The NRPT is typically managed through Group Policy.
Check out http://technet.microsoft.com/en-us/library/dd378952(WS.10).aspx for more information.
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer