How to Set Up DNSSEC on Windows Server 2019

March 21, 2026
Tutorials
Comment off

Introduction to DNSSEC on Windows Server 2019

DNSSEC (Domain Name System Security Extensions) adds cryptographic signatures to DNS records, allowing resolvers to verify that responses are authentic and have not been tampered with in transit. Without DNSSEC, a resolver has no way to distinguish a legitimate DNS response from a forged one injected by a man-in-the-middle attacker. Windows Server 2019 supports both signing zones as an authoritative server and validating signatures as a recursive resolver. This guide covers end-to-end DNSSEC deployment for an internal Active Directory integrated zone.

Understanding DNSSEC Concepts

Before configuring DNSSEC, it is important to understand the key record types involved. The DNSKEY record publishes the public key for a zone. The RRSIG record is a cryptographic signature covering a specific resource record set. The DS (Delegation Signer) record in the parent zone creates a chain of trust from the parent to the child zone. The NSEC/NSEC3 records provide authenticated denial of existence, proving that a queried name does not exist in the zone.

Windows Server 2019 DNS supports both NSEC and NSEC3. NSEC3 uses hashed owner names, preventing zone enumeration through walking NSEC chains.

Prerequisites

You need at minimum one Windows Server 2019 DNS server hosting a primary zone. For Active Directory integrated zones, the zone must be stored in AD DS. Ensure the DNS Server role is installed and the zone you want to sign is operational:

Get-DnsServerZone | Select-Object ZoneName, ZoneType, IsDsIntegrated, IsSigned

Generate DNSSEC Signing Keys

DNSSEC uses two key types. The Key Signing Key (KSK) signs the DNSKEY RRset itself and is used to establish the chain of trust with the parent zone. The Zone Signing Key (ZSK) signs all other resource record sets in the zone. The KSK is typically larger and rotated less frequently; the ZSK is rotated more often to limit exposure.

# Sign the zone using the DNS Manager wizard via PowerShell
# First, create a KSK using RSA/SHA-256
Invoke-DnsServerZoneSign -ZoneName "corp.example.com" `
    -SignWithDefault `
    -Force

# To manually control keys, first add a KSK
Add-DnsServerSigningKey -ZoneName "corp.example.com" `
    -Type KeySigningKey `
    -CryptoAlgorithm RsaSha256 `
    -KeyLength 2048 `
    -InitialRolloverOffset 0:0:0 `
    -DnsKeySignatureValidityPeriod 168:0:0 `
    -DSSignatureValidityPeriod 168:0:0 `
    -ZoneSignatureValidityPeriod 336:0:0

# Add a ZSK
Add-DnsServerSigningKey -ZoneName "corp.example.com" `
    -Type ZoneSigningKey `
    -CryptoAlgorithm RsaSha256 `
    -KeyLength 1024 `
    -InitialRolloverOffset 0:0:0 `
    -ZoneSignatureValidityPeriod 336:0:0

Sign the Zone

Once the keys are created, sign the zone. For Active Directory integrated zones, signing state is replicated to all domain controllers hosting the zone.

# Sign the zone (keys must exist first)
Invoke-DnsServerZoneSign -ZoneName "corp.example.com" -Force

# Verify signing status
Get-DnsServerZone -Name "corp.example.com" | Select-Object ZoneName, IsSigned

# View signing keys
Get-DnsServerSigningKey -ZoneName "corp.example.com" | 
    Select-Object KeyTag, KeyType, Algorithm, KeyLength, KeyState | Format-Table

After signing, the zone will contain DNSKEY, RRSIG, and NSEC3 records. You can verify by querying the zone directly:

Resolve-DnsName -Name "corp.example.com" -Type DNSKEY -Server 127.0.0.1
Resolve-DnsName -Name "corp.example.com" -Type NS -Server 127.0.0.1 -DnssecOk

Configure NSEC3 for Zone Walking Prevention

By default Windows Server 2019 may use NSEC. To prevent zone enumeration, switch to NSEC3 with a non-zero iteration count and a random salt:

# Get current DNSSEC settings
Get-DnsServerDnsSecZoneSetting -ZoneName "corp.example.com"

# Set NSEC3 with salt and iterations
Set-DnsServerDnsSecZoneSetting -ZoneName "corp.example.com" `
    -DenialOfExistence NSec3 `
    -NSec3HashAlgorithm Sha1 `
    -NSec3Iterations 50 `
    -NSec3RandomSaltLength 8 `
    -NSec3UserSalt "-"

# Re-sign after changing NSEC settings
Invoke-DnsServerZoneSign -ZoneName "corp.example.com" -Force

Enable DNSSEC Validation on Recursive Resolvers

To have your DNS server validate DNSSEC signatures on behalf of internal clients, configure Trust Anchors. For the root zone, Windows Server 2019 includes the root trust anchor automatically. For internal zones signed by your own KSK, distribute the trust anchor manually.

# View existing trust anchors
Get-DnsServerTrustAnchor -ZoneName "."

# Export the DS record for the signed zone to distribute to parent
Get-DnsServerResourceRecord -ZoneName "corp.example.com" -RRType DS

# Add a trust anchor for an internal zone on a forwarding resolver
Add-DnsServerTrustAnchor -ZoneName "corp.example.com" `
    -KeyTag 12345 `
    -Algorithm RsaSha256 `
    -DigestType Sha256 `
    -Digest "AABBCC..."

Replace the KeyTag, Algorithm, and Digest values with those from your actual DS record. The DigestType must match what was used when generating the DS record.

Automate Key Rollover

DNSSEC keys must be rotated periodically to limit the window of exposure if a private key is compromised. Windows Server 2019 supports automatic key rollover. Configure rollover schedules when adding signing keys:

# Modify an existing ZSK rollover schedule
Set-DnsServerSigningKey -ZoneName "corp.example.com" `
    -KeyId (Get-DnsServerSigningKey -ZoneName "corp.example.com" | 
            Where-Object KeyType -eq ZoneSigningKey | 
            Select-Object -First 1).KeyId `
    -RolloverPeriod 30.0:0:0 `
    -NextRolloverAction RolloverSigningKey

# View the current rollover schedule
Get-DnsServerSigningKey -ZoneName "corp.example.com" | 
    Select-Object KeyTag, KeyType, KeyState, NextRolloverAction, RolloverPeriod

KSK rollovers require coordination with the parent zone to update the DS record. ZSK rollovers are fully automated and transparent to the parent.

Verify DNSSEC with Dig or Resolve-DnsName

Test that DNSSEC validation is working from a client:

# From Windows client - check AD bit in response (indicates validation)
Resolve-DnsName -Name "host1.corp.example.com" -DnssecOk -Server 192.168.1.10

# From Linux client using dig
# dig +dnssec host1.corp.example.com @192.168.1.10

# Test NSEC3 denial of existence
Resolve-DnsName -Name "doesnotexist.corp.example.com" -DnssecOk -Server 192.168.1.10

Monitoring DNSSEC Events

DNSSEC signing failures and validation errors are logged in the DNS Server event log. Monitor for Event IDs related to key rollover and signing failures:

# Query DNSSEC-related events
Get-WinEvent -LogName "Microsoft-Windows-DNS-Server/Audit" -MaxEvents 100 |
    Where-Object Message -match "DNSSEC|signing|key|rollover" |
    Select-Object TimeCreated, Id, Message | Format-List

# Check zone signing health
Get-DnsServerZone -Name "corp.example.com" | 
    Select-Object ZoneName, IsSigned, DynamicUpdate

Summary

Deploying DNSSEC on Windows Server 2019 involves generating KSK and ZSK key pairs, signing the zone to produce RRSIG and DNSKEY records, configuring NSEC3 to prevent zone walking, distributing trust anchors to recursive resolvers, and automating key rollover to maintain ongoing security. DNSSEC does not encrypt DNS traffic — it only provides integrity and authenticity. For confidentiality of DNS queries, consider implementing DNS over HTTPS or DNS over TLS in addition to DNSSEC.