AZ-800 Administering Windows Server Hybrid Core Infrastructure Exam

Implement Domain Name System Security Extensions

Cryptographic Key Management and Zone Signing

DNS Security Extensions (DNSSEC) add a layer of protection to DNS by ensuring that responses come from trusted sources and have not been altered. In both Windows Server and Azure DNS zones, cryptographic key management is the foundation for signing DNS data. Administrators must generate and manage keys carefully to maintain integrity and prevent unauthorized changes. Proper key handling also helps avoid common DNS attacks such as cache poisoning or spoofing.

To sign a DNS zone, you work with two main types of keys: Zone Signing Key (ZSK) and Key Signing Key (KSK). The ZSK is used to sign individual DNS records, while the KSK secures the DNSKEY records themselves. Together, these keys create an unbroken chain of trust that clients can verify. Keys should be strong, unique, and stored in a secure location, such as a Hardware Security Module (HSM) or Azure Key Vault.

The zone signing process adds several key DNSSEC records to the zone. Common records include:

• DNSKEY, which holds the public key used for validation
• RRSIG, containing signatures for each DNS record
• NSEC/NSEC3, preventing attackers from walking through a zone
• DS, uploaded to the parent zone or Azure DNS to link trust

Automating zone signing and key rotation is critical for maintaining security. You can configure Windows Server DNS or Azure DNS to:

1. Automatically generate new keys on a regular schedule
2. Sign the zone with the latest keys
3. Publish DS records to the parent zone or Azure DNS

Validators use a Trust Anchor, which is a preconfigured public key, to confirm that DNSSEC signatures are valid. When a resolver receives a signed response, it checks the RRSIG against the DNSKEY and Trust Anchor. If validation succeeds, the data is returned; if it fails, the resolver responds with an error, typically a SERVFAIL. By setting the DNSSEC OK (DO) bit in queries, clients and recursive servers ensure that all required security information is requested.

Conclusion

In this section, you learned how cryptographic key management and zone signing form the backbone of DNSSEC in hybrid environments. You now understand the roles of Zone Signing Keys and Key Signing Keys, as well as the critical DNSSEC records: DNSKEY, RRSIG, NSEC/NSEC3, and DS. You also know how to automate key generation, signing, and DS record publication to maintain an unbroken chain of trust. Finally, you grasp the importance of Trust Anchors and validation processes for ensuring the integrity and authenticity of DNS responses.