Your network contains an Active Directory forest. The forest contains two domains named
contoso.com and east.contoso.com. The contoso.com domain contains a domain controller
named DC1. The east.contoso.com domain contains a domain controller named DC2. DC1
and DC2 have the DNS Server server role installed.
You need to create a DNS zone that is available on DC1 and DC2. The solution must ensure
that zone transfers are encrypted.
What should you do?
A.
Create a primary zone on DC1 and store the zone in a zone file. On DC1 and DC2,
configure inbound rules and outbound rules by using Windows Firewall with Advanced
Security. Create a secondary zone on DC2 and select DC1 as the master.
B.
Create a primary zone on DC1 and store the zone in a DC=ForestDNSZones,
DC=Contoso, DC=com naming context.
C.
Create a primary zone on DC2 and store the zone in a DC= DC=East,
DC=Contoso/DC=com naming context. Create a secondary zone on DC1 and select DC2 as
the master.
D.
Create a primary zone on DC1 and store the zone in a zone file. Configure DNSSEC for
the zone. Create a secondary zone on DC2 and select DC1 as the master.
Explanation:
http://technet.microsoft.com/en-us/library/cc781101.aspx
Securing DNS Zone Replication
Using Active Directory Replication
Replicating zones as part of Active Directory replication provides the following security
benefits:
Active Directory replication traffic is encrypted; therefore zone replication traffic is encrypted
automatically.
(…)http://en.wikipedia.org/wiki/Domain_Name_System_Security_Extensions
DNSSEC was designed to protect Internet resolvers (clients) from forged DNS data, such as
that created by DNS cache poisoning. All answers in DNSSEC are digitally signed. By
checking the digital signature, a DNS resolver is able to check if the information is identical
(correct and complete) to the information on the authoritative DNS server. DNSSEC does
not provide confidentiality of data; in particular, all DNSSEC responses are authenticated but
not encrypted.http://www.nlnetlabs.nl/publications/dnssec_howto/
Voorbeeld opbouw DNSSEC records.
http://www.efficientip.com/dnssec
It is important to note that DNSSEC does not supply a solution for data confidentiality but
only a validation of DNS data authenticity and integrity. All information exchanged is not
encrypted; it is only the signature which is encrypted.http://technet.microsoft.com/en-us/library/ee649277.aspx
Zone transfers Zone transfers of a DNSSEC-signed zone function in the same way they do
for an unsigned zone. All of the resource records, including DNSSEC resource records, are
transferred from the primary server to the secondary servers with no additional setup
requirements.