Procedure: Enable Automatic Update of Trust Anchors on Key Rollover
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the following procedures to enable automatic update of trust anchors on key rollover using the DNS Manager console or Windows PowerShell. When you have completed the procedures in this topic, return to the parent checklist.
The following procedures enable automatic trust anchor updates for a zone that is already signed with DNSSEC.
If the zone is not signed and you want to enable automatic trust anchor updates when the zone is signed, see Procedure: Customize Zone Signing Parameters or Procedure: Use Default Settings to Sign the Zone. This setting is enabled by default.
Important
If it is enabled, automatic update of trust anchors only occurs during an automatic key rollover. Trust anchors are not updated if you perform a manual key rollover.
Choose to use DNS Manager or Windows PowerShell:
Enable automatic update of trust anchors on key rollover using DNS Manager
Enable automatic update of trust anchors on key rollover using Windows PowerShell
Enable automatic update of trust anchors on key rollover using DNS Manager
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To enable automatic update of trust anchors on key rollover using DNS Manager
Open DNS Manager on a primary, authoritative DNS server, or connect to a primary, authoritative DNS server with DNS Manager.
In the console tree, right-click the zone where you plan to enable automatic update of trust anchors, point to DNSSEC, and then click Properties.
Click the KSK tab.
For each KSK that is listed under Key signing keys (KSKs), click the KSK, click Edit, and in the Key Rollover section, select the Enable automatic rollover check box.
Edit the Rollover frequency if desired, and then click OK.
Click the ZSK tab.
For each ZSK that is listed under Zone signing keys (ZSKs), click the ZSK, click Edit, and in the Key Rollover section, select the Enable automatic rollover check box.
Edit the Rollover frequency if desired, and then click OK.
Click OK to close the DNSSEC properties dialog box.
In the pop-up window that appears, click Yes to confirm the changes that were made to the zone.
Verify that Configuration of DNSSEC parameters was successful is displayed, and then click OK.
Enable automatic update of trust anchors on key rollover using Windows PowerShell
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To use the example Windows PowerShell examples that are provided, replace the server and zone names with the names of the servers and zones that are used in your environment.
To enable automatic update of trust anchors on key rollover using Windows PowerShell
Open an elevated Windows PowerShell prompt on a primary, authoritative DNS server.
You can use the Get-DnsServerSigningKey cmdlet to retrieve the KeyId values for signing keys in the zone, and then use the Enable-DnsServerSigningKeyRollover cmdlet to enable key rollover for all signing keys. See the following example.
PS C:\> Get-DnsServerSigningKey -ZoneName secure.contoso.com | Enable-DnsServerSigningKeyRollover -Force
In the previous example, the Force parameter is used to skip confirmation.
If you wish to enable rollover for some signing keys and not others, you must specify the individual KeyId of each signing key. See the following examples.
PS C:\> Get-DnsServerSigningKey -ZoneName secure.contoso.com KeyId KeyType CryptoAlgorithm KeyLength StoreKeysInAD IsRolloverEnabled ----- ------- --------------- --------- ------------- ----------------- 5f7d05be-1bb6-4a0c-b923-f9be300bf6ea KeySigningKey RsaSha1NSec3 2048 True False a2a72d54-f9d7-4b4b-a115-a4097092f5bf ZoneSigningKey RsaSha1NSec3 1024 True False PS C:\> Enable-DnsServerSigningKeyRollover -ZoneName secure.contoso.com -KeyId 5f7d05be-1bb6-4a0c-b923-f9be300bf6ea -Force PS C:\> Get-DnsServerSigningKey -ZoneName secure.contoso.com KeyId KeyType CryptoAlgorithm KeyLength StoreKeysInAD IsRolloverEnabled ----- ------- --------------- --------- ------------- ----------------- 5f7d05be-1bb6-4a0c-b923-f9be300bf6ea KeySigningKey RsaSha1NSec3 2048 True True a2a72d54-f9d7-4b4b-a115-a4097092f5bf ZoneSigningKey RsaSha1NSec3 1024 True False