This article describes an issue in which the Domain Name System Security Extensions (DNSSEC) validation fails on a Windows Server 2012 R2-based DNS server. Before you install this update, see the Prerequisites section.
This issue occurs if the DNSKEY query is targeted for a name that has DNAME configured. In this situation, the Windows Server 2012 R2-based DNS server responds back with the DNSKEY rather than the correct target name.
Important If you install a language pack after you install this update, you must reinstall this update. Therefore, we recommend that you install any language packs that you need before you install this update. For more information, see Add language packs to Windows.
Method 1: Windows UpdateThis update is provided as a Recommended update on Windows Update. For more information on how to run Windows Update, see How to get an update through Windows Update.
Method 2: Microsoft Download CenterThe following files are available for download from the Microsoft Download Center:
For more information about how to download Microsoft support files, select the following article number to view the article in the Microsoft Knowledge Base:
|All supported x64-based versions of Windows Server 2012 R2||Download the package now.|
119591 How to obtain Microsoft support files from online servicesMicrosoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.
PrerequisitesTo install this update, you should first install April 2014, update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 (2919355) in Windows Server 2012 R2.
Registry informationTo apply this update, you don't have to make any changes to the registry.
Restart requirementYou may have to restart the computer after you apply this update.
Update replacement informationThis update doesn't replace a previously released update.
After you install this update, the DNAME resolution by Microsoft DNS Servers will be changed.
Previously, you could query for the domain (type=ANY or type=A) example.com, and get back the the host (A) record for the DNAME. After you install this update, that query fails.
This change was made for compliancy with RFC 6672.
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.
Article ID: 3133954 - Last Review: Mar 15, 2017 - Revision: 3
Windows Server 2012 R2 Datacenter, Windows Server 2012 R2 Standard, Windows Server 2012 R2 Essentials, Windows Server 2012 R2 Foundation