DNSSEC broken in Windows 2016's DNS server?

domain-name-system windows-server-2016 dnssec
7,527

The solution , found at http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation, was to run:

DnsCmd.exe /Config /enablednssec 1
Share:
7,527

Related videos on Youtube

mehdi.loa
Author by

mehdi.loa

Company: http://huagati.com/ Blog: http://huagati.blogspot.com/ CV: http://huagati.com/kacv.aspx

Updated on September 18, 2022

Comments

  • mehdi.loa
    mehdi.loa almost 2 years

    I'm currently in the process of migrating a DNS server from Windows 2012 R2 to Windows 2016. However, I have run into an issue with DNSSEC. So far I have just moved one domain, an unused test domain, from the Win2012 server to the Win2016 server, and I am getting DNSSEC validation errors on just about every DNSSEC validation tool I have tested ("No RRSIGs found", "Nameserver does not do DNSSEC extra processing.", "No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.", etc)

    On the Win2012 box, the DNS server config dialog has an option "Enable DNSSEC validation for remote responses":

    DNS server properties on Windows 2012 R2

    The same option is missing on Windows 2016:

    DNS server properties on Windows 2016

    Help, what's going on here?

    Apparently, others have run into the same issue, here are two other discussions I found when googling this problem: http://webcache.googleusercontent.com/search?q=cache:fEdkPUHEA40J:lists.cloudapp.net/pipermail/windns-users/2016-July/000133.html+&cd=2&hl=en&ct=clnk https://social.technet.microsoft.com/Forums/en-US/34e0d2b2-438b-4116-9329-78ecc1e1d550/dnssec-validation-fail-in-windows-server-2016

    Update: after a bit of googling, I found this article:

    http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation

    ...which has a command line option for enabling DNSSEC:

    DnsCmd.exe  /Config /enablednssec 1

    ...and that solved it for me.

    • Calle Dybedahl
      Calle Dybedahl almost 7 years
      The error messages you quote talk about problems with the responses your server sends to others. The option you're missing talks about your machine validating responses it gets from other servers. Those are very different things. Maybe you need to look for a different option to activate on your server?
    • mehdi.loa
      mehdi.loa almost 7 years
      I think it is controlled by the same setting. That said, although it is not visible in the DNS server GUI, it can be enabled from the command line. (See my update above)

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to block domains using Bind / Named for local protection?
Windows Server conditional forwarders does not work on one of the domain controllers
AD Domain Controller for the domain could not be contacted
Why is the DNS Server not updating with dynamic updates from the DHCP server?
Can't resolve website using Google's public dns
BIND server has tons of "no valid RRSIG" errors
Adding DS record to parent in DNS
Querying and verifying dnssec
nsupdate, getting BADKEY error
bind9 does not resolve dnssec correctly