Export (0) Print
Expand All
2 out of 4 rated this helpful - Rate this topic

Distribute Trust Anchors

Published: October 7, 2009

Updated: October 7, 2009

Applies To: Windows Server 2008 R2

The trust anchor for given zone is found in the keyset-<zone name> file on the secure signing computer in the same location where the signed and unsigned copies of the zone reside. This file is created automatically as part of the signing process.

ImportantImportant
Trust anchors are required on all non-authoritative DNS servers that will perform DNSSEC validation of data from a signed zone.

To distribute trust anchors, transfer the keyset-<zone name> file to each DNS server that will perform validation for data from the signed zone.

You can store the trust anchor in Active Directory and replicate it forest-wide by transferring the trust anchor to one DNS server per forest. This option is only available if the DNS server is running on a domain controller.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, right-click the name of the DNS server and then click Properties.

  3. On the Trust Anchors tab, click Add.

  4. Under Name, type the name of the signed zone.

  5. Do not change the settings for Protocol (DNSSEC) and Algorithm (RSA/SHA-1).

  6. Paste the public key of the signed zone into Public Key. The Zone Signing Key and Secure Entry Point check boxes must be selected for the KSK. Select only the Zone Signing Key check box for the ZSK.

TipTip
It is not necessary to configure a trust anchor for a signed zone on the server that is authoritative for the same zone.

  1. Copy information from the keyset-<zone name> file found on the secure signing computer. This file has the following format:

    <zone name> <TTL> IN DNSKEY <Flags> 3 5 <Base64Data>; key tag = <key tag>
    
  2. Open an elevated command prompt, type the following command, and then press ENTER.

    DnsCmd /TrustAnchorAdd <zone name> DNSKEY <Flags> 3 5 <Base64Data>
    

 

Value Description

dnscmd

The command-line tool for managing DNS servers.

/TrustAnchorAdd

Required. Used with <zone name> to specify the signed zone to be associated with a trust anchor.

<zone name>

Required. The FQDN of the signed zone.

<Flags>

Required. The flags in DNSKEY (ex: 257).

<Base64Data>

Required. A base-64 encoded text string.

See Also

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.