Windows DNSSEC

DNSSEC on Windows

Unfortunate limits

It seems that all Windows do not support DNSSEC and cannot validate DNSSEC themselves. They use a "security-aware" stub resolver that is able to differentiate between secure and non-secure responses by a recursive name server.

So, Windows can only work together with a trusted DNS server that is using DNSSEC to get DNSSEC capability.

Even Windows Server 2012, it can support DNSSEC only acting as a server, but not a client.

Ref: https://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions#Tools

How to config

Turn on the filter

# Server must support DNS security extensions (DNSSEC)
require_dnssec = true

Some servers support DNSSEC but don't use it by default. They use it only when you request. So, choose those use DNSSEC by default, or disable those don't.
```
# Server names chosen to use
server_names = []

# Server names to avoid even if they match all criteria
disabled_server_names = []
```

Known `disabled_server_names`

disabled_server_names = ['plan9dns-fl', 'plan9dns-fl-ipv6', 'plan9dns-mx', 'plan9dns-mx-ipv6', 'plan9dns-nj', 'plan9dns-nj.ipv6', 'plan9dns-fl-doh', 'plan9dns-fl-doh-ipv6', 'plan9dns-mx-doh', 'plan9dns-mx-doh-ipv6', 'plan9dns-nj-doh', 'plan9dns-nj-doh-ipv6']

Are these instructions not clear? Wrong? Insufficient? This documentation page is a Wiki, so you can contribute by improving it!

Windows DNSSEC

DNSSEC on Windows

Unfortunate limits

How to config

Known disabled_server_names

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Clone this wiki locally

Known `disabled_server_names`