- Next, let's look at DNSSEC or DNS security. DNSSEC stands for Domain Name Security Extensions. DNSSEC provides DNS clients a way to check the integrity of the results they query from the DNS server. When DNSSEC is enabled, it cryptographically signs information that is stored in the DNS zone. Once DNSSEC is enabled, when the client queries the DNSSEC enabled zone, the client is provided not only the requested record, but also a digital signature to match the requested record.
The signature that is provided to the client is used to validate that the information returned to the client is authentic. There are a number of cryptographic keys that are used with DNSSEC. Once such key is the trust anchor. The trust anchor is a special public key associated with the DNS zone. The trust anchor is used to verify the DNS key record for each query. The trust anchor is also replicated to all DNS servers hosted on the domain controllers in an Active Directory forest.
The Key Signing Key is another cryptographic key used by DNSSEC. The Key Signing Key signs all DNS key records. The Key Signing Key is created on the computer that hosts the DNSSEC Key Master role. The DNSSEC Key Master role is usually the computer that hosts the DNS server that DNSSEC is first implemented on. When Server 2012 R2 came out, it allowed some additional flexibility for the Key Master role.
One of the things that the Server 2012 R2 did, is it allowed the Key Master roll to be configured for file-backed multimaster zones. What this did is it allowed the master key to be stored on cryptographic, next-generation-compliant CNG offline storage modules. The next key we want to talk about is the Zone Signing Key or the ZSK. The Zone Signing Key is a key used to sign zone data, including individual host records.
The Zone Signing Key is generated by the DNSSEC Key Master. When a record is created in a signed DNS zone, a Resource Record Signature record or RRSIG record is generated. There is a RRSIG record associated with each individual zone record and zone. This is stored in the DNS zone along with the other records in that zone. Whenever a record is queried from a zone that has DNSSEC configured on it, the server also returns an RRSIG record with any query records that were requested by the client.
Next we have the DNSKEY record. This is a record we've mentioned previously. What the DNSKEY record does, is it's a record that allows a client to verify the authenticity of the RRSIG records. Finally, let's talk about Next Secure records or NSEC/NSEC3 records. The NSEC3 is just a later version of the NSEC record. The NSEC record is a record that verifies a query record does not exist if a client asks for it and it's not there.
This Windows training course helps you study for the exams while learning advanced server administration techniques. Professor Timothy Pintello covers all of the core exam topics, including DHCPv6, primary and secondary DNS zone configuration, working with different DNS resource record types, VPN routing, certificates for direct access, IPAM admin delegation, and more.
- Implementing advanced DHCP solutions
- Configuring DNS zones
- Configuring DNS records
- Implementing advanced DNS solutions
- Configuring VPN and routing
- Configuring direct access
- Deploying and managing IPAM
Skill Level Intermediate
Windows Server 2012 R2: Configuring Hyper-Vwith Timothy Pintello2h 24m Intermediate
1. Implement an Advanced Dynamic Host Configuration Protocol Solution
2. Configure DNS Zones
3. Configure DNS Records
4. Configure DNS Record Options
5. Implement an Advanced DNS Solution
6. Configure Virtual Private Network (VPN) and Routing
8. Deploy and Manage IP Address Management (IPAM)
- Mark as unwatched
- Mark all as unwatched
Are you sure you want to mark all the videos in this course as unwatched?
This will not affect your course history, your reports, or your certificates of completion for this course.Cancel
Take notes with your new membership!
Type in the entry box, then click Enter to save your note.
1:30Press on any video thumbnail to jump immediately to the timecode shown.
Notes are saved with you account but can also be exported as plain text, MS Word, PDF, Google Doc, or Evernote.