Hi,
I'm having trouble configuring DNSSEC on my 2008 R2 server. I don't want to sign a zone, just provide the clients with the option to use DNSSEC in their queries. As I understand it, all I have to do is insert the trust anchor for the root zone. But I can't even get past that:
- I could not find any documentation on how to enter the trust anchor. I have the trust anchor here (retrieved with BIND dig.exe), and I know the dialog in DNS manager it should go into - what I don't know and can't find any mention about is what format to use, how to convert the key, or how to set the "name" (a single dot to designate "root zone", right?) and rest of the options.
- If I paste the key into the dialog and restart DNS service, it won't respond any more. NSLOOKUP (on the server) reports "server fail" and timeout after two seconds. I don't understand this either - shouldn't the server return a response in any case, even if a wrong trust anchor leads to a invalid result? Isn't it the client who's supposed to accept or reject the result as it sees fit?
Any help would be apreciated.
Regards,
AngusMac