Export-DnsServerDnsSecPublicKey
Exports DS and DNSKEY information for a DNSSEC-signed zone.
Syntax
Export-DnsServerDnsSecPublicKey
[-ComputerName <String>]
[-ZoneName] <String>
[-Path <String>]
[-PassThru]
[-UnAuthenticated]
[-Force]
[-NoClobber]
[-CimSession <CimSession[]>]
[-ThrottleLimit <Int32>]
[-AsJob]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Export-DnsServerDnsSecPublicKey
[-ComputerName <String>]
[-ZoneName] <String>
[-Path <String>]
[-PassThru]
[-UnAuthenticated]
[-Force]
[-NoClobber]
-DigestType <String[]>
[-CimSession <CimSession[]>]
[-ThrottleLimit <Int32>]
[-AsJob]
[-WhatIf]
[-Confirm]
[<CommonParameters>]
Description
The Export-DnsServerDnsSecPublicKey cmdlet exports delegation signer (DS) or Domain Name System public key (DNSKEY) information for a Domain Name System Security Extensions (DNSSEC)-signed zone.
Examples
Example 1: Export a trust anchor to a file share
PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -DigestType "Sha1"
Exporting a trust anchor without using authentication is insecure unless DNSSEC is active on "${ComputerName}", a trust anchor covering "${ZoneName}" is installed, and the connection between the local machine and "${ComputerName}" is secure. Consider alternative means of exporting the trust anchors, such as the DNSCMD protocol, email, or HTTPS. Proceed? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
This command exports the trust anchor (DS record) for Contoso.com to a file share. A DNS administrator runs this command from the DNS server that hosts the zone Contoso.com and specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.
This command creates Dsset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
Example 2: Export a trust anchor by using unauthorized access
PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.contoso.com" -ZoneName "Contoso.com" - Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force
Exporting a trust anchor without using authentication is insecure unless DNSSEC is active on "${ComputerName}", a trust anchor covering "${ZoneName}" is installed, and the connection between the local machine and "${ComputerName}" is secure. Consider alternative means of exporting the trust anchors, such as the DNSCMD protocol, email, or HTTPS. Proceed? [Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is "Y"): Y
Note: User typing N exits out of the command with no export or output
This command exports a trust anchor (DNSKEY record) for Contoso.com to a file share. The DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com. This command specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.
This command creates Keyset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
Example 3: Get the trust anchors for all the signed zones
PS C:\> Get-DnsServerZone | ForEach-Object {Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force }
This command gets the trust anchors for all the signed zones that are hosted on the DNS server Contoso.com. In this scenario the DNS Server is currently hosting signed zones for contoso.com, dinnernow.com and hrweb.net
The command uses a Foreach-Object cmdlet to export the trust anchors and pipe the results to the Get-DnsServerZone cmdlet.
This command creates a keyset file in the share for each signed zone that is hosted on the DNS server (Keyset-Contoso.com, Keyset-Dinnernow.com, Keyset-Hrweb.net) and writes the DNSKEY record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
Example 4: Import a trust anchor to a non-authorized DN server
PS C:\> $publicKey = Export-DnsServerDnssecPublicKey -ZoneName "contoso.com" -Path "C:\" -PassThru -UnAuthenticated -Force
PS C:\> $publicKey[0].RecordData | Add-DnsServerTrustAnchor -Name "constoso.com" -ComputerName "DNSDC1.Contoso.com"
The first command exports the trust anchor (DNSKEY record) for Contoso.com to the specified path, and stores the results in the $publicKey variable. The UnAuthenticated parameter indicates that the DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com.
The second command adds the first trust record that was exported from Contoso.com into a non-authoritative DNS server named DNSDC1.Contoso.com.
Parameters
-AsJob
ps_cimcommon_asjob
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-CimSession
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSessionhttp://go.microsoft.com/fwlink/p/?LinkId=227967 or Get-CimSessionhttp://go.microsoft.com/fwlink/p/?LinkId=227966 cmdlet. The default is the current session on the local computer.
Type: | CimSession[] |
Aliases: | Session |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ComputerName
Specifies a remote DNS server. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified domain name (FQDN), host name, or NETBIOS name.
Type: | String |
Aliases: | Cn |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Confirm
Prompts you for confirmation before running the cmdlet.
Type: | SwitchParameter |
Aliases: | cf |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-DigestType
Specifies an array of algorithms that the zone signing key uses to create the DS record. The acceptable values for this parameter are:
- Sha1
- Sha256
- Sha384
Type: | String[] |
Accepted values: | Sha1, Sha256, Sha384 |
Position: | Named |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-Force
Exports the signing key without prompting you for confirmation. By default, the cmdlet prompts you for confirmation before it proceeds.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-NoClobber
Specifies that the export operation does not overwrite an existing export file that has the same name.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-PassThru
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-Path
Specifies the absolute path that the cmdlet uses to place the keyset file. The cmdlet automatically names the file according to the zone name.
Type: | String |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | True |
Accept wildcard characters: | False |
-ThrottleLimit
Specifies the maximum number of concurrent operations that can be established to run the cmdlet.
If this parameter is omitted or a value of 0
is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer.
The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Type: | Int32 |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-UnAuthenticated
Indicates that an unauthenticated user is running this cmdlet. The provider DNS server queries for the DS or DNSKEY information and exports the required data even if you do not have permissions to run the cmdlet on the remote DNS server.
Type: | SwitchParameter |
Position: | Named |
Default value: | None |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Type: | SwitchParameter |
Aliases: | wi |
Position: | Named |
Default value: | False |
Required: | False |
Accept pipeline input: | False |
Accept wildcard characters: | False |
-ZoneName
Specifies the name of the primary zone for which the cmdlet exports the signing keys.
Type: | String |
Aliases: | TrustPointName, TrustAnchorName |
Position: | 1 |
Default value: | None |
Required: | True |
Accept pipeline input: | True |
Accept wildcard characters: | False |