Procedure: Review Key Rollover Status

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the following procedures to display and review rollover status of signing keys using the DNS Manager console or Windows PowerShell. When you have completed the procedures in this topic, return to the parent checklist.

You can use DNS Manager or Windows PowerShell to review rollover status:

• Review key rollover status in DNS Manager

• Review key rollover status in Windows PowerShell

Review key rollover status in DNS Manager

You can use DNS Manager to review basic key rollover status. However, Windows PowerShell provides additional settings for review.

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To review key rollover status in DNS Manager

1. Open DNS Manager on a primary, authoritative DNS server, or connect to a primary, authoritative DNS server with DNS Manager.

2. Right-click a DNSSEC-signed zone, point to DNSSEC, and then click Properties.

3. To review KSK status, click the KSK tab, click a signing key under Key signing keys (KSKs), and then review information under Rollover status.

4. To review ZSK settings, click the ZSK tab, click a signing key under Zone signing keys (ZSKs), and then review information under Rollover status.

5. Click Cancel when you have finished.

Review key rollover status in Windows PowerShell

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

In the Windows PowerShell commands that are used, replace secure.contoso.com with the name of the DNSSEC-signed zone that you want to review.

To review key rollover status in Windows PowerShell

1. Open an elevated Windows PowerShell prompt on a primary, authoritative DNS server.

2. To review signing key status, use the Get-DnsServerSigningKey cmdlet. See the following example.

   PS C:\> Get-DnsServerSigningKey -ZoneName secure.contoso.com | fl *
   
   KeyId                         : 0316fff3-03a8-451d-a4ad-db2f93e4070a
   IsRolloverEnabled             : True
   ActiveKey                     : {8F7CB3C7-A9A1-496A-96E6-D6D845D2F0F1}
   CryptoAlgorithm               : RsaSha256
   CurrentRolloverStatus         : NotRolling
   CurrentState                  : Active
   DnsKeySignatureValidityPeriod : 7.00:00:00
   DSSignatureValidityPeriod     : 7.00:00:00
   InitialRolloverOffset         : 00:00:00
   KeyLength                     : 2048
   KeyStorageProvider            : Microsoft Software Key Storage Provider
   KeyType                       : KeySigningKey
   LastRolloverTime              :
   NextKey                       :
   NextRolloverAction            : Normal
   NextRolloverTime              : 2/10/2016 2:27:53 PM
   RolloverPeriod                : 755.00:00:00
   RolloverType                  : DoubleSignature
   StandbyKey                    : {1F4FBEBD-D66F-485C-9076-187DD40B1993}
   StoreKeysInAD                 : True
   ZoneName                      : secure.contoso.com
   ZoneSignatureValidityPeriod   : 10.00:00:00
   PSComputerName                :
   CimClass                      : root/Microsoft/Windows/DNS:DnsServerSigningKey
   CimInstanceProperties         : {ActiveKey, CryptoAlgorithm, CurrentRolloverStatus, CurrentState...}
   CimSystemProperties           : Microsoft.Management.Infrastructure.CimSystemProperties
   
   KeyId                         : 60b46b4d-e1cb-433a-ac33-5d46687e860e
   IsRolloverEnabled             : True
   ActiveKey                     : {93BA0FC4-3931-4DBF-A205-F4EFB24C4E4E}
   CryptoAlgorithm               : RsaSha256
   CurrentRolloverStatus         : NotRolling
   CurrentState                  : Active
   DnsKeySignatureValidityPeriod : 7.00:00:00
   DSSignatureValidityPeriod     : 7.00:00:00
   InitialRolloverOffset         : 00:00:00
   KeyLength                     : 1024
   KeyStorageProvider            : Microsoft Software Key Storage Provider
   KeyType                       : ZoneSigningKey
   LastRolloverTime              :
   NextKey                       : {D1FDEAF4-F9AB-4D59-AF5A-A33856B2B0EE}
   NextRolloverAction            : Normal
   NextRolloverTime              : 4/16/2014 3:27:53 PM
   RolloverPeriod                : 90.00:00:00
   RolloverType                  : PrePublish
   StandbyKey                    :
   StoreKeysInAD                 : True
   ZoneName                      : secure.contoso.com
   ZoneSignatureValidityPeriod   : 10.00:00:00
   PSComputerName                :
   CimClass                      : root/Microsoft/Windows/DNS:DnsServerSigningKey
   CimInstanceProperties         : {ActiveKey, CryptoAlgorithm, CurrentRolloverStatus, CurrentState...}
   CimSystemProperties           : Microsoft.Management.Infrastructure.CimSystemProperties
   

   In the previous example, the Format-List (fl) parameter is used to display extended signing key status information.

See also

DNSSEC in Windows

DNSSEC Deployment Planning