Hello. First of all, thanks for your answer.
I´m have a win2012 test enviorement with dns and one dns primary zone signed with dnssec. i conigure gpo in dns server about nrpt.
my dnsclientnrptpolicy is good configurated.(dnssecvalidationrequired: true)
how can i prevent computer clients ( win8) don´t resolve ip-name if this it´s not firmed DNSSEC.
for example, if i do mitm attack with arp poisining, i want my client dont "trust" about one fake dns resolution. only accept win 2012 dnssec server resolution.
thanks for all.
http://kinomakino.blogspot.com