Overview

Introduction

Welcome to the Implementing DNSSEC Practice Lab. In this module you will be provided with the instructions and devices needed to develop your hands-on skills.

Learning Outcomes

In this module, you will complete the following exercises:

  • Preparing DNS Setup for DNSSEC
  • Configuring DNSSEC
  • Customizing DNSSEC

After completing this lab, you will be able to:

  • Create a Zone
  • Create Sample Resource Records
  • Create a Non-Authoritative DNS Server
  • Create a Secondary Domain Controller
  • Sign the Zone Using Default Settings
  • Distribute the TA to a Non-Authoritative DNS Server
  • Verify DNSKEY Trust Anchors
  • Distribute TAs to a Secondary Domain Controller
  • Query a Signed Zone without DNSSEC Validation Required
  • Configure Support for DNSSEC in GPO
  • Query a Signed Zone with DNSSEC Validation Required
  • Unsign the Secure Zone
  • Re-Sign secure.practicelabs.com with Custom Parameters
  • Show Failed and Unsecured Validation

Exam Objectives

The following exam objectives are covered in this lab:

  • CAS-003 3.1 Given a scenario, conduct a security assessment using the appropriate methods.
  • CAS-003 4.1 Given a scenario, integrate hosts, storage, networks and applications into a secure enterprise architecture.

Lab Duration

It will take approximately 1 hour to complete this lab.

Exercise 1 - Preparing DNS Setup for DNSSEC

Domain Name System Security Extensions, or DNSSEC, is a set of extensions that add an additional layer of security on a DNS server by enabling responses sent to DNS clients (resolvers) to be validated. When a DNS resolver queries a zone that is signed by DNSSEC, the authenticity and integrity of its responses are ensured with the use of security keys.

For this exercise, you will prepare the requirements to successfully test DNSSEC on Windows Server 2016 by creating a new zone, adding Resource Records, installing a non-authoritative DNS server, and, lastly, installing a secondary domain controller.

Learning Outcomes

After completing this exercise, you will be able to:

  • Create a Zone
  • Create Sample Resource Records
  • Create a Non-Authoritative DNS Server
  • Create a Secondary Domain Controller

Exercise 2 - Configuring DNSSEC

Configuring DNSSEC on a zone is an easy and straightforward process using the DNS Manager, as most of the important settings for signing the zone are provided by the DNSSEC wizard.

In this exercise, you will enable DNSSEC on the secure.practicelabs.com zone, distribute the keys with the use of Trust Anchors among servers, and verify the configuration. A Trust Anchor (TA) is a public key that is associated with a specific zone that’s been protected with DNSSEC. When distributed among DNS servers, the TAs form a chain of trust that is useful for validating DNSSEC data among servers.

Learning Outcomes

After completing this exercise, you will be able to:

  • Sign the Zone Using Default Settings
  • Distribute the TA to a Non-Authoritative DNS Server
  • Verify DNSKEY Trust Anchors
  • Distribute TAs to a Secondary Domain Controller
  • Query a Signed Zone without DNSSEC Validation Required.
  • Configure Support for DNSSEC in GPO
  • Query a Signed Zone with DNSSEC Validation Required

Exercise 3 - Customizing DNSSEC

The DNSSEC wizard provides a set of default settings for signing a zone. In a similar way, you can sign a zone using customized settings by using the DNSSEC feature of the DNS Manager.

For example, a change in the security key on PLABDC01 (which hosts the secure.practicelabs.com zone) will create a mismatch among the DNS servers that hold a copy of the Trust Anchor (TA) key. Therefore, the new security key needs to be updated on all the servers to enable validation.

In this exercise, you will unsign the secure.practicelabs.com zone and re-sign it using custom parameters. You will notice the effect of the re-signed DNS zone on the other servers that hold copies of the DNSSEC keys or Trust Anchors from the first signing.

Learning Outcomes

After completing this exercise, you will be able to:

  • Unsign the Secure Zone
  • Re-Sign secure.practicelabs.com with Custom Parameters
  • Show Failed and Unsecured Validation

Comprehensive Learning

See the full benefits of our immersive learning experience with interactive courses and guided career paths.