Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

When to Re-sign a Zone File

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

The steps for re-signing the zone are identical to the steps that were originally used to sign the zone, except that it is often not necessary to generate new keys. However, you must consider the validity period used in key generation and zone signing. For more information see Key Management and Checklist: Re-sign a Zone File.

The re-signing of a zone is performed only under the following circumstances:

  • If data in a signed zone was added, deleted, or modified, then the zone must be re-signed to generate new signatures. New keys do not need to be generated.

  • If a child zone is signed after the parent zone has been signed, then the DS records of the child zone must be added to the parent zone and the parent zone must be re-signed. New keys do not need to be generated.

  • If keys are compromised or become invalid, new keys must be generated, and the zone must be re-signed.

  • New keys are generated when key rollover is performed. For information about available rollover mechanisms, see the following topics:

    ImportantImportant
    If the zone is being re-signed because it has been compromised, then you must also generate new keys.

    When re-signing the zone, the input zone file must be the zone file of the currently loaded signed zone. For example, assume zonefile_v0.dns is the original unsigned copy and zonefile_v1.dns is the first signed copy. When you use Dnscmd.exe or DNS Manager to modify the zone, these updates are written to zonefile_v1.dns. You must use zonefile_v1.dns as the input when re-signing the zone and generate zonefile_v2.dns as the output. If you re-sign the zone again, use zonefile_v2.dns as the input.

In scenarios in which the zone being signed has a parent zone that is also signed, then the Delegation Key Signer record, also known as the Delegation Signer (DS) resource record must be handed off to the owner of the parent zone. The administrator of the parent zone must then incorporate the DS record and re-sign the parent zone.

The DS set can be found in the dsset-<zone name> and keyset-<zone name> files. On the secure signing computer, it can be found in the same folder as the signed and unsigned copies of the zone. These files will be created automatically as part of the zone signing operation. The contents of the files must be provided to the administrator of the parent DNS zone.

If you are the administrator of a zone whose child zone has just been signed, then you will receive a copy of the DS records from the signed child zone. Incorporate this copy into your zone and re-sign the zone.

If the child zone is signed using the Windows Server® 2008 R2 signing tool, you will receive the dsset-<zone name> and keyset-<zone name> files from the administrator of the child zone. Copy these files into the %windir%\System32\DNS on the server that is signing your zone (the parent zone) and re-sign the zone. The signing tool will use the contents of the files and will re-sign the parent zone appropriately.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.