Identify Zones for DNSSEC

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

Before you deploy DNSSEC, you must identify the DNS zones that must be secured.


When deploying DNSSEC for the first time, limit the size and scope of your deployment to a static zone and a small number of clients and servers. Expand your deployment gradually as you become more familiar with issues and requirements associated with the technology.

Identifying your secure zones

Consider the following factors when identifying zones that you wish to protect with DNSSEC.

  • Once a zone is signed, it will no longer be able to receive dynamic updates.

  • Signing of an Active Directory (AD) integrated domain zone will require the manual update of all SRV records and other resource records. To sign an AD-integrated zone, it must first be converted to a file-backed zone.

  • All authoritative DNS servers that host a signed zone must first be upgraded to use Windows Server® 2008 R2.

If you do not have an existing zone that is suitable to use in your DNSSEC deployment, you can create a new zone that contains only those resource records that you choose to protect. A new DNSSEC-protected zone can be deployed using the following steps:

  1. Identify a list of names that can be added to a static zone. Typically servers that host applications, file shares, and databases are configured with static IP addresses that can be added to a static DNS zone.

  2. Identify the DNS servers that will host or resolve names in the zone. See DNSSEC Deployment Planning for operating system considerations.

  3. Create a new zone on your DNS servers that can be located by client computers with the suffix search list. For example, if your domain is, you can create a zone named

  4. Add the list of static records to the zone.

  5. Sign the zone and distribute trust anchors.

  6. Configure and deploy NRPT settings for the zone.

  7. Verify clients can resolve names in the zone using the fully qualified domain name (FQDN).

  8. Add the new domain suffix to the suffix search list on client computers.

  9. Delete the original static records from previous zones.

See Also


Checklist: Preparing to Deploy DNSSEC