Share via


Sign a Zone File

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

Tip

This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The Dnscmd.exe command takes as input the zone file and keys and returns as output the signed zone file. To sign the zone, use the DnsCmd /OfflineSign /SignZone command. A description of command options is provided below. A DNS server running Windows ServerĀ® 2008 R2 is required to sign a zone file. Perform this procedure in a secure facility.

Membership in the local Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Signing a zone file

Use the following procedures to sign a zone file. If the zone is Active Directory integrated, you must first export the zone to a file.

Warning

Signing of an Active Directory integrated zone will disable dynamic updates for that zone.

To sign a file backed zone

  1. Open an elevated command prompt and browse to the folder where the zone file to be signed is stored. By default, zone files are stored in the %windir%\System32\DNS directory.

  2. Type the following command, and then press ENTER:

    DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname ksk-<zone name> /signkey /cert /friendlyname zsk-<zone name>
    

To sign an Active Directory integrated zone

  1. Open an elevated command prompt and browse to the %windir%\System32\DNS directory.

  2. Type the following command, and then press ENTER:

    dnscmd /ZoneExport <zone name> <input zone file>
    

Warning

Back up the zone file before proceeding. For more information, see Back up a Zone File.

  1. Type the following command, and then press ENTER:

    DnsCmd /OfflineSign /SignZone /input <input zone file> /output <output zone file> /zone <zone name> /signkey /ValidTo <validtodate> /ValidFrom <validfromdate> /cert /friendlyname ksk-<zone name> /signkey /cert /friendlyname zsk-<zone name>
    
Value Description

dnscmd

The command-line tool for managing DNS servers.

/OfflineSign

Required. Used with the GenKey, DeleteKey, ImportKey, or SignZone commands to modify certificates and keys or to sign a zone file.

/SignZone

Required. Used to sign a zone file.

/input

Required. Used with <input filename> to designate the zone file to be signed.

<input filename>

Required. The file name of the zone file to be signed.

/output

Required. Used with <output filename> to designate the name of the zone file after it has been signed.

<output filename>

Required. The file name of the signed zone.

/Zone

Required. Used with <zone name> to specify the fully qualified domain name (FQDN) of the zone.

<zone name>

Required. The FQDN of the zone.

/Signkey

Required. Specifies the key that will be used to sign the zone.

/ValidFrom

Optional. Used with <validfromdate> to specify the start time of the validity period of RRSIG records created using this key. If not specified, the validity period will start one hour prior to the current UTC time.

<validfromdate>

Optional. Specifies the UTC start time of the validity period in YYYYMMDDHHMMSS format.

/ValidTo

Optional. Used with <validtodate> to specify the end time of the validity period of RRSIG records created using this key. If not specified, the validity period will end 30 days from the start of the validity period for zone signing keys or 13 months from the start of the validity period for key signing keys.

<validtodate>

Optional. Specifies the UTC end time of the validity period in YYYYMMDDHHMMSS format.

/Cert

Required. Specifies that keys are stored in a certificate.

/FriendlyName

Used with KSK-<zone name> or ZSK-<zone name> to specify the friendly name of the self-signed certificate.

KSK-<zone name>

Specifies the friendly name of the self-signed certificate used with a KSK.

ZSK-<zone name>

Specifies the friendly name of the self-signed certificate used with a ZSK.

Additional considerations

Consider the following with regard to zone signing with dnscmd:

  • Multiple keys can be specified in the signing operation by repeating the switch /signkey /cert /friendlyname <Friendly name of the certificate>. The number of signatures that will be generated will be based on the number of keys provided. Multiple KSKs and ZSKs can be specified in the same signing command.

  • Additional keys can be added to a zone by specifying /addkey /cert /friendlyname <Friendly name of the certificate>. These keys will not be used for signing. At least one signing key must always be specified when the /addkey option is used; otherwise, the output zone file will not be DNSSEC-signed.

  • If not specified, the default validity period is 30 days for ZSK and 13 months for KSK.

  • If the input file is already a signed zone file, then the signing tool will delete all DNSSEC resource records and re-sign the zone.

  • The keyset-<zone name> and dsset-<zone name> files are generated during the zone signing process. These files are used to store trust anchors and delegation signer (DS) records for the zone. For more information, see Distribute Trust Anchors and When to Re-sign a Zone File.

See Also

Concepts

Checklist: Signing a Zone