Sign a Zone File
Updated: October 7, 2009
Applies To: Windows Server 2008 R2
Tip
This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.
The Dnscmd.exe command takes as input the zone file and keys and returns as output the signed zone file. To sign the zone, use the DnsCmd /OfflineSign /SignZone
command. A description of command options is provided below. A DNS server running Windows Server® 2008 R2 is required to sign a zone file. Perform this procedure in a secure facility.
Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
Signing a zone file
Use the following procedures to sign a zone file. If the zone is Active Directory integrated, you must first export the zone to a file.
Warning
Signing of an Active Directory integrated zone will disable dynamic updates for that zone.
To sign a file backed zone
Open an elevated command prompt and browse to the folder where the zone file to be signed is stored. By default, zone files are stored in the %windir%\System32\DNS directory.
Type the following command, and then press ENTER:
DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname ksk-<zone name> /signkey /cert /friendlyname zsk-<zone name>
To sign an Active Directory integrated zone
Open an elevated command prompt and browse to the %windir%\System32\DNS directory.
Type the following command, and then press ENTER:
dnscmd /ZoneExport <zone name> <input zone file>
Warning
Back up the zone file before proceeding. For more information, see Back up a Zone File.
Type the following command, and then press ENTER:
DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname ksk-<zone name> /signkey /cert /friendlyname zsk-<zone name>
Value | Description |
---|---|
dnscmd |
The command-line tool for managing DNS servers. |
/OfflineSign |
Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file. |
/SignZone |
Required. Used to sign a zone file. |
/input |
Required. Used with <input filename> to designate the zone file to be signed. |
<input filename> |
Required. The file name of the zone file to be signed. |
/output |
Required. Used with <output filename> to designate the name of the zone file after it has been signed. |
<output filename> |
Required. The file name of the signed zone. |
/Zone |
Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone. |
<zone name> |
Required. The FQDN of the zone. |
/Signkey |
Required. Specifies the key that will be used to sign the zone. |
/ValidFrom |
Optional. Used with <validfromdate> to specify the start time of the validity period of RRSIG records created using this key. If not specified, the validity period will start one hour prior to the current UTC time. |
<validfromdate> |
Optional. Specifies the UTC start time of the validity period in YYYYMMDDHHMMSS format. |
/ValidTo |
Optional. Used with <validtodate> to specify the end time of the validity period of RRSIG records created using this key. If not specified, the validity period will end 30 days from the start of the validity period for zone signing keys or 13 months from the start of the validity period for key signing keys. |
<validtodate> |
Optional. Specifies the UTC end time of the validity period in YYYYMMDDHHMMSS format. |
/Cert |
Required. Specifies that keys are stored in a certificate. |
/FriendlyName |
Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate. |
KSK-<zone name> |
Specifies the friendly name of the self-signed certificate used with a KSK. |
ZSK-<zone name> |
Specifies the friendly name of the self-signed certificate used with a ZSK. |
Additional considerations
Consider the following with regard to zone signing with dnscmd:
Multiple keys can be specified in the signing operation by repeating the switch
/signkey /cert /friendlyname <Friendly name of the certificate>
. The number of signatures that will be generated will be based on the number of keys provided. Multiple KSKs and ZSKs can be specified in the same signing command.Additional keys can be added to a zone by specifying
/addkey /cert /friendlyname <Friendly name of the certificate>
. These keys will not be used for signing. At least one signing key must always be specified when the/addkey
option is used; otherwise, the output zone file will not be DNSSEC-signed.If not specified, the default validity period is 30 days for ZSK and 13 months for KSK.
If the input file is already a signed zone file, then the signing tool will delete all DNSSEC resource records and re-sign the zone.
The keyset-<zone name> and dsset-<zone name> files are generated during the zone signing process. These files are used to store trust anchors and delegation signer (DS) records for the zone. For more information, see Distribute Trust Anchors and When to Re-sign a Zone File.