DNSSEC is it worth doing for a medium sized office RRS feed

  • Question

  • Hello, I currently have an office that has roughly 70 computers and 3 domain controllers running DNS. Is it worth setting up a signed zone for our DNS internally or is that going to cause more headaches than it's worth? We are running Server 2012 R2

    If I set up DNSSEC and sign the zone but don't deploy the group policy to make the clients DNSSEC aware can I do that for a small group of computers to test or once it's signed does everyone have to use DNSSEC?

    Thank you

    • Edited by jkay1804 Monday, February 25, 2019 2:25 PM
    Monday, February 25, 2019 2:15 PM


  • Hi,

    In general, if an internal domain zone is not at risk for attack, it is not advisable to sign it with DISSECT unless it is required by government or corporate policy.

    Internal zones are typically less vulnerable to attack, either because they are not exposed to the Internet or because other security protocols have been implemented to protect them. These zones might not benefit as much from signing with DNSSEC and might be associated with more of an administrative burden because of multiple domain-joined client computers that require access to domain services such as LDAP, Net Logon, Kerberos, and others.

    Best regards,


    Please remember to mark the replies as an answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    • Marked as answer by jkay1804 Tuesday, February 26, 2019 1:57 PM
    Tuesday, February 26, 2019 2:30 AM