DNSSEC broken in Windows 2016's DNS server?

I'm currently in the process of migrating a DNS server from Windows 2012 R2 to Windows 2016. However, I have run into an issue with DNSSEC. So far I have just moved one domain, an unused test domain, from the Win2012 server to the Win2016 server, and I am getting DNSSEC validation errors on just about every DNSSEC validation tool I have tested ("No RRSIGs found", "Nameserver does not do DNSSEC extra processing.", "No valid RRSIGs made by a key corresponding to a DS RR were found covering the DNSKEY RRset, resulting in no secure entry point (SEP) into the zone.", etc)

On the Win2012 box, the DNS server config dialog has an option "Enable DNSSEC validation for remote responses":

DNS server properties on Windows 2012 R2

The same option is missing on Windows 2016:

DNS server properties on Windows 2016

Help, what's going on here?

Apparently, others have run into the same issue, here are two other discussions I found when googling this problem: http://webcache.googleusercontent.com/search?q=cache:fEdkPUHEA40J:lists.cloudapp.net/pipermail/windns-users/2016-July/000133.html+&cd=2&hl=en&ct=clnk https://social.technet.microsoft.com/Forums/en-US/34e0d2b2-438b-4116-9329-78ecc1e1d550/dnssec-validation-fail-in-windows-server-2016

Update: after a bit of googling, I found this article:

http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation

...which has a command line option for enabling DNSSEC:

DnsCmd.exe  /Config /enablednssec 1

...and that solved it for me.


Solution 1:

The solution , found at http://info.menandmice.com/blog/bid/88297/Windows-2012-Server-Enabling-DNSSEC-validation, was to run:

DnsCmd.exe /Config /enablednssec 1