DNSSEC feature helps to protect DNS traffic from threats. In Server 2012, DNSSEC has been made simpler deploy and supports secure dynamic updates in Active Directory integrated zones. Windows Server 2012 supports validations of records signed with updated DNSSEC standards (NSEC3 and RSA/SHA-2 standards). Previously, you could not sign records with NSEC3 and RSA/SHA-2.
1. Open Server Manager and then Click DNS Manager.
2. In the DNS Manager console, Select DNSSEC and then select Sign The Zone.
3. click Next.
4. Select Customize Zone Signing Parameters and then Click Next.
5. Select one DNS server as the key master for the zone. The key master is responsible for generating new signing keys.
6. Click Next.
7. On the key signing key page, Click Add.
8. Click Ok.
9. Click Next.
10. On zone signing key, Click Next.
11. On the Zone Signing Key page, Click Add to configure a ZSK.
12. Click Ok.
13. Click Next.
14. Select NSEC3 resource record rather than the older NSEC resource record for authenticated denial of existence.
15. By default, trust anchors are updated automatically.You also can enable the distribution of trust anchors for the zone.
16. For signing and polling, SHA-1 and SHA-256 are the default algorithms used. Click Next.
17. Click Next.
18. After the wizard signs the zone, click Finish.