The Implementing DNSSEC module provides you with the instruction and server hardware to develop your hands-on skills in the defined topics. This module includes the following exercises:
- Preparing DNS setup for DNSSEC
- Configuring DNSSEC
- Customizing DNSSEC
Lab time: It will take approximately 1 hour to complete this lab.
The following exam objectives are covered in this lab:
- Enabling DNSSEC on a zone
- Creating a custom DNSSEC on a zone
Exercise 1 - Preparing DNS Setup for DNSSEC
Domain Name System Security Extensions, or DNSSEC, is a set of extensions that adds an additional layer of security on a DNS server by enabling responses sent to DNS clients (resolvers) to be validated. When a DNS resolver queries a zone that is signed by DNSSEC, the authenticity and integrity of its responses are ensured with the use of security keys.
For this exercise, you will prepare the requirements to successfully test DNSSEC on Windows Server 2016 by creating a new zone, adding Resource Records, installing a non-authoritative DNS server, and, lastly, installing a secondary domain controller.
Exercise 2 - Configuring DNSSEC
Configuring DNSSEC on a zone is an easy and straightforward process using the DNS Manager, as most of the important settings for signing the zone are provided by the DNSSEC wizard.
In this exercise, you will enable DNSSEC on the secure.practicelabs.com zone, distribute the keys with the use of Trust Anchors among servers, and verify the configuration. A Trust Anchor (TA) is a public key that is associated with a specific zone that’s been protected with DNSSEC. When distributed among DNS servers, the TAs form a chain of trust that is useful for validating DNSSEC data among servers.
Exercise 3 - Customizing DNSSEC
The DNSSEC wizard provides a set of default settings for signing a zone. In a similar way, you can sign a zone using customized settings by using the DNSSEC feature of the DNS Manager.
For example, a change in the security key on PLABDC01 (which hosts the secure.practicelabs.com zone) will create a mismatch among the DNS servers that hold a copy of the Trust Anchor (TA) key. Therefore, the new security key needs to be updated on all the servers to enable validation.
In this exercise, you will unsign the secure.practicelabs.com zone and re-sign it using custom parameters. You will notice the effect of the re-signed DNS zone on the other servers that hold copies of the DNSSEC keys or Trust Anchors from the first signing.