The Domain Name System (DNS) is a hierarchical, distributed database that contains mappings between names and other information, such as IP addresses. DNS allows users to locate resources on the network by converting friendly, human- readable names like www.microsoft.com to IP addresses that computers can connect to.
DNS is a critical infrastructure service that supports the Internet and corporate networks. Users and applications rarely ever attempt to locate other computers directly by IP address; name resolution is performed first instead. Web, e-mail, and instant messaging, applications and technologies like Active Directory Domain Services (AD DS) rely on DNS to perform their operations.
Because DNS does not offer any form of security, it is vulnerable to spoofing, man-in-the-middle and cache poisoning attacks. Attacks of this kind can compromise all future communications to the host. For this reason, it has become critical to develop a means for securing DNS.
Domain Name System Security Extensions (DNSSEC) is a suite of extensions that add security to the DNS protocol. The core DNSSEC extensions are specified in RFCs 4033, 4034, and 4035, with additional RFCs providing supporting information. Specifically, DNSSEC provides origin authority, data integrity, and authenticated denial of existence. In addition to several new concepts and operations for both the DNS server and the DNS client, DNSSEC introduces four new resource records (DNSKEY, RRSIG, NSEC and DS) to DNS. This guide provides an overview of DNSSEC and information about how to deploy DNSSEC on the Windows Server 2008 R2 and Windows 7 operating systems.