DNSSEC is a set of security extensions to DNS that provide the ability to authenticate DNS records. This walkthrough is designed to illustrate for the SSCP how to implement DNSSEC in a typical enterprise network that is running using Microsoft Windows Server 2012. The ability to move step by step through the implementation of DNSSEC will give the SSCP the ability to fully understand how the technology works and is integrated into the defense-in-depth architecture for the modern enterprise.

Hardware and Software Requirements

The following are required components of the test lab:

• The product disc or other installation media for Windows Server 2012.
• Two computers that meet the minimum hardware requirements for Windows Server 2012.

Configuring the Test Lab

The following procedures are used to configure computers for the demonstration portion of the test lab:

• DC1 is a domain controller and Active Directory–integrated authoritative DNS server.
• DNS1 is a non-authoritative, caching DNS server.

Configuring DC1

DC1 is a computer running Windows Server 2012, providing the following services:

• A domain controller for the isc2.com Active Directory domain.
• An authoritative DNS server for the isc2.com DNS zone.
• A DNSSEC Key Master for the isc2.com DNS zone.

To install the operating system and configure TCP/IP on DC1, follow these steps:

1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign-in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. Click Start, type ncpa.cpl, and then press Enter. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use the following IP address.
9. Next to IP address type 10.0.0.1 and next to Subnet mask type 255.255.255.0. It is not necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.1.
11. Click OK twice, and then close the Network Connections control panel.

To configure DC1 as a domain controller and DNS server, follow these steps:

1. The Server Manager Dashboard is displayed by default. In the navigation pane, click Configure This Local Server.
2. Under Properties, click the name next to Computer name. The System Properties dialog box will open.
3. On the Computer Name tab, click Change and then type DC1 under Computer name.
4. Click OK twice, and then click Close.
5. When you are prompted to restart the computer, click Restart Now.
6. After restarting the computer, sign in using the local Administrator account.
7. In Server Manager, under Configure This Local Server, click Add Roles and Features.
8. In the Add Roles and Features Wizard, click Next three times, and then on the Select Server Roles page select the Active Directory Domain Services checkbox.
9. When you are prompted to add required features, click Add Features.
10. Click Next three times, and then click Install.
11. Wait for the installation process to complete, verify on the Installation progress page that “Configuration required. Installation succeeded on DC1” is displayed, and then click Close.
12. Click the Notification flag and then click Promote This Server To A Domain Controller.
13. In the Active Directory Domain Services Configuration Wizard, on the Deployment Configuration page, choose Add A New Forest and then next to Root domain name, type isc2.com.
14. Click Next, and then on the Domain Controller Options page, under Type the Directory Services Restore Mode (DSRM) password, type a password next to Password and Confirm password. Confirm that Domain Name System (DNS) server and Global Catalog (GC) are selected, and then click Next.
15. Click Next five times and then click Install.
16. The computer will restart automatically to complete the installation process.
17. Sign in using the local Administrator account.
18. Next, a domain administrator account must be created to use when performing procedures in the test lab.

Creating a Domain Administrator Account

To create a domain administrator account, follow these steps:

1. On the Server Manager menu bar, click Tools, and then click Active Directory Users and Computers.
2. In the Active Directory Users and Computers console tree, double-click isc2.com, right-click Users, point to New, and then click User.
3. In the New Object – User dialog box, type user1 under User logon name and next to Full Name, then click Next.
4. Next to Password and Confirm password, type a password for the user1 account.
5. Clear the checkbox next to User Must Change Password At Next Logon, select the Password Never Expires checkbox, click Next, and then click Finish.
6. Double-click user1 and then click the Member Of tab.
7. Click Add, type domain admins under Enter the object names to select, click OK twice, and then close the Active Directory Users and Computers console.
8. Click Start, click Administrator, and then click Sign Out.
9. Sign in to the computer using the user1 credentials by clicking the left arrow next to ISC2Administrator and then clicking Other User.

Configuring the sec.isc2.com DNS Zone

Next, configure a new DNS zone: sec.isc2.com. This zone will be used to demonstrate DNSSEC zone signing.

1. On the Server Manager menu, click Tools, and then click DNS.
2. In the DNS Manager console tree, right-click Forward Lookup Zones and then click New Zone.
3. In the New Zone Wizard, click Next three times, and then under Zone Name type sec.isc2.com.
4. Click Next twice, and then click Finish.
5. Verify that the zone sec.isc2.com is displayed under Forward Lookup Zones.
6. Next, add one or more DNS resource records to the sec.isc2.com zone.
7. Leave the DNS Manager console open.

To add DNS resource records to the sec.isc2.com zone, follow these steps:

1. Right-click sec.isc2.com and then click New Host (A or AAAA).
2. In the New Host dialog box, type dc1 under Name, type 10.0.0.1 under IP address, and then click Add Host. The IP address of dc1.isc2.com is used here to help demonstrate DNSSEC success and failure scenarios.
3. Confirm that “The host record dc1.sec.isc2.com was successfully added” is displayed, and then click OK.
4. Add additional resource records to the zone if desired, and then click Done.

Enabling Remote Desktop on DC1

DC1 will be used to demonstrate functionality of a network application in an environment with DNSSEC.

1. In the Server Manager navigation pane, click Local Server.
2. Click the word Disabled next to Remote Desktop.
3. In the System Properties dialog box, on the Remote tab, click Allow Connections From Computers Running Any Version Of Remote Desktop (Less Secure), and then click OK.

Configuring DNS1

DNS1 is a computer running Windows Server 2012, providing the following services:

• A non-authoritative, recursive DNS server.
• A DNS client computer.
• During the demonstration portion of the test lab, DNS1 will be used to perform recursive DNS queries, host a trust anchor for the isc2.com domain, and provide DNSSEC validation for DNS client queries. DNS1 will be used to issue DNS client queries.

Installing the OS and Configuring TCP/IP on DC1

To install the operating system and configure TCP/IP on DC1, follow these steps:

1. Start your computer using the Windows Server 2012 product disc or other digital media.
2. When prompted, enter a product key, accept license terms, configure clock, language, and regional settings, and provide a password for the local Administrator account.
3. Press Ctrl+Alt+Delete and sign in using the local Administrator account.
4. If you are prompted to enable Windows Error Reporting, click Accept.
5. Click Start, type ncpa.cpl, and then press Enter. The Network Connections control panel will open.
6. In Network Connections, right-click Wired Ethernet Connection and then click Properties.
7. Double-click Internet Protocol Version 4 (TCP/IPv4).
8. On the General tab, choose Use The Following IP Address.
9. Next to IP address type 10.0.0.2 and next to Subnet mask type 255.255.255.0. It is not necessary to provide an entry next to Default gateway.
10. Next to Preferred DNS server, type 10.0.0.2.
11. Click OK twice, and then close the Network Connections control panel.

Installing and Configuring DNS on DNS1

To install and configure DNS on DNS1, follow these steps:

1. In the Server Manager Dashboard navigation pane, click Configure This Local Server.
2. Under Properties, click the name next to Computer Name. The System Properties dialog box will open.
3. On the Computer Name tab, click Change and then type DNS1 under Computer name.
4. Under Member Of, select Domain, type isc2.com, and then click OK.
5. When you are prompted to provide credentials to join the domain, enter the credentials for the user1 account that was created previously.
6. Confirm that computer name and domain changes were successful, click OK, and then click Close.
7. When you are prompted to restart the computer, click Restart Now.
8. After restarting the computer, sign in using the ISC2user1 account.
9. In Server Manager, under Configure This Local Server, click Add Roles and Features.
10. In the Add Roles and Features Wizard, click Next three times, and then on the Select Server Roles page select the DNS Server checkbox.
11. When you are prompted to add required features, click Add Features.
12. Click Next three times, and then click Install.
13. Wait for the installation process to complete, verify on the Installation progress page that “Installation succeeded on DNS1.isc2.com” is displayed, and then click Close.
14. On the Server Manager menu bar, click Tools and then click DNS.
15. In the DNS Manager console tree, right-click DNS1 and then click Properties.
16. Click the Forwarders tab, click Edit, type 10.0.0.1, and then click OK twice.
17. Leave the DNS Manager console open.

Signing a Zone on DC1 and Distributing Trust Anchors

Next, sign in to the sec.isc2.com zone and distribute a trust anchor for the zone. Trust anchor distribution is manual for DNS servers that are not running on domain controllers, such as DNS1.

1. In the DNS Manager console tree on DC1, navigate to Forward Lookup Zones ⇒ sec.isc2.com.
2. Right-click sec.isc2.com, point to DNSSEC, and then click Sign the Zone.
3. In the Zone Signing Wizard, click Next, and then choose Use Recommended Settings to sign the zone.
4. Click Next twice, confirm that “The zone has been successfully signed is displayed,” and then click Finish.
5. Refresh the DNS Manager console and verify that a new icon is displayed for the sec.isc2.com zone, indicating that it is currently signed with DNSSEC.
6. Click the sec.isc2.com zone and review the new resource records that are present, including DNSKEY, RRSIG and NSEC3 records.
7. Leave the DNS Manager console open.

Distributing a Trust Anchor to DNS1

To distribute a trust anchor to DNS1, follow these steps:

1. On DC1, click Windows Explorer on the taskbar.
2. Navigate to C:WindowsSystem32, right-click the dns folder, point to Share With, and then click Advanced Sharing.
3. In the dns Properties dialog box, click Advanced Sharing, select the Share This Folder checkbox, verify the Share name is dns, and then click OK.
4. Click Close and then close Windows Explorer.
5. On DNS1, in the DNS Manager console tree, navigate to the Trust Points folder.
6. Right-click Trust Points, point to Import, and then click DNSKEY.
7. In the Import DNSKEY dialog box, type \dc1dnskeyset-sec.isc2.com and then click OK.

Verifying Trust Anchors

To verify trust anchors, follow these steps:

1. In the console tree, navigate to Trust Points ⇒ com ⇒ isc2 ⇒ sec and verify that import was successful.
2. On any computer, click Windows PowerShell, type the following command and then press Enter:

   resolve-dnsname –name sec.isc2.com.trustanchors –type dnskey –server dns1

3. On DNS1, right-click Windows PowerShell and then click Run as Administrator.
4. Type the following command and then press Enter:

   get-dnsservertrustanchor sec.isc2.com

5. Verify that two trust anchors are displayed.

Querying a Signed Zone with DNSSEC Validation Required

The Name Resolution Policy Table (NRPT) is used to require DNSSEC validation. The NRPT can be configured in local Group Policy for a single computer, or domain Group Policy for some or all computers in the domain. The following procedure uses domain Group Policy.

1. On DC1, on the Server Manager menu bar, click Tools, and then click Group Policy Management.
2. In the Group Policy Management console tree, under Domains ⇒ isc2.com ⇒ Group Policy Objects, right-click Default Domain Policy, and then click Edit.
3. In the Group Policy Management Editor console tree, navigate to Computer Configuration ⇒ Policies ⇒ Windows Settings ⇒ Name Resolution Policy.
4. In the details pane, under Create Rules and To Which Part Of The Namespace Does This Rule Apply, choose Suffix from the drop-down list and type sec.isc2.com next to Suffix.
5. On the DNSSEC tab, select the Enable DNSSEC In This Rule checkbox and then under Validation select the Require DNS Clients To Check That Name And Address Data Has Been Validated By The DNS server checkbox.
6. In the bottom right corner, click Create and then verify that a rule for sec.isc2.com was added under Name Resolution Policy Table.
7. Click Apply, and then close the Group Policy Management Editor.
8. On DC1, type the following commands at the Windows PowerShell prompt, and then press Enter:

   gpupdate /force
   get-dnsclientnrptpolicy

9. Verify that computer and user policy updates were successful, and that the value of DnsSecValidationRequired is True for the .sec.isc2.com namespace.

Unsigning the Zone

Follow these steps to remove DNSSEC signing from the sec.isc2.com zone so that the zone can next be re-signed using custom DNSSEC parameters:

1. On DC1, in the DNS Manager console tree, navigate to Forward Lookup Zones ⇒ sec.isc2.com.
2. Right-click sec.isc2.com, point to DNSSEC, and then click Unsign the Zone.
3. In the Unsign Zone Wizard, click Next.
4. Verify that “The zone has been successfully unsigned” is displayed, and then click Finish.
5. Refresh the view in DNS Manager and verify that the sec.isc2.com zone no longer contains DNSSEC signed records, and the icon next to the zone indicates it is not currently signed.

Resigning the Zone with Custom Parameters

Follow these steps to re-sign the zone using custom DNSSEC parameters:

1. On DC1, right-click sec.isc2.com, point to DNSSEC, and then click Sign the Zone.
2. In the Zone Signing Wizard, click Next.
3. Customize Zone Signing Parameters is chosen by default. Click Next.
4. On the Key Master page, The DNS server DC1 is the Key Master is chosen by default, because zone signing is being performed on DC1.
5. Ensure that DC1 is chosen as the Key Master and then click Next twice.
6. On the Key Signing Key (KSK), page, click the existing KSK (with key length of 2048), and then click Remove.
7. To add a new KSK, click Add.
8. In the New Key Signing Key (KSK) dialog box, under Key Properties, click the drop-down next to Cryptographic algorithm and select RSA/SHA-512.
9. Under Key Properties, click the drop-down next to Key length (Bits) and select 4096 and then click OK.
10. Click Next until “You have successfully configured the following parameters to sign the zone” is displayed.
11. Review the parameters you have chosen and then click Next to start the zone signing process.
12. Confirm that “The zone has been successfully signed is displayed,” click Finish, and then refresh the view in DNS Manager to verify the zone is signed again.
13. Refresh the view for the Trust Points folder and verify that new DNSKEY trust points are present that use the RSA/SHA-512 algorithm.
14. At an Administrator Windows PowerShell prompt, type the following commands and press Enter:

    Get-dnsservertrustanchor –name sec.isc2.com –computername dns1
    Get-dnsservertrustanchor –name sec.isc2.com –computername dc1