Appendix C: DNSSEC PowerShell Scripts

The following PowerShell scripts are available to automate DNSSEC deployment procedures, such as zone signing and key rollover:

SignZone.ps1. This script is available for review and discussion in the Script Center. For more information, see DNSSEC zone sign/rollover sample script (https://go.microsoft.com/fwlink/?LinkId=187001).

SignZone.ps1 is a sample script used to sign or rollover a zone using DNSSEC.  Run the script on the authoritative server for the zone to be signed. By default, the script uses the RSA/SHA-1 signing algorithm and 1024-bit key lengths. Rollover methods supported include pre-published ZSK, double signature ZSK, and double signature KSK.  This script automates commands found in the following procedures and checklists:

Usage: SignZone -Action <Action> -Zone <ZoneName> [-Ksk <FriendlyKsk>] [-Zsk <FriendlyZsk>] [-Ttl <DsTtl>]

Value Description

<Action>

The action performed by the script. Possible values are: Sign, Resign, PreZsk, DoubleZsk, DoubleKsk.

<ZoneName>

Name of the zone to be signed, resigned, or rolled over.

<FriendlyKsk>

Friendly name of the existing KSK.

<FriendlyZsk>

Friendly name of the existing ZSK.

[<Ttl>]

Zone SOA TTL. This entry is optional.

<DsTtl>

TTL for the DS record in the parent zone.

See the following examples:

    Sign zone:
    -Action Sign -Zone <ZoneName>

    Re-sign zone:
    -Action ReSign -Zone <ZoneName> -Ksk <FriendlyKsk> -Zsk <FriendlyZsk>

    Pre-published ZSK rollover:
    -Action PreZsk -Zone <ZoneName> -Ksk <FriendlyKsk> -Zsk <FriendlyZsk>
        [-Ttl <Ttl>]

    Double signature ZSK rollover:
    -Action DoubleZsk -Zone <ZoneName> -Ksk <FriendlyKsk> -Zsk <FriendlyZsk>
        [-Ttl <Ttl>]

    Double signature KSK rollover:
    -Action DoubleKsk -Zone <ZoneName> -Ksk <FriendlyKsk> -Zsk <FriendlyZsk>
        -Ttl <DsTtl>

TrustAnchor.ps1. This script is available for review and discussion in the Script Center. For more information, see DNSSEC trust anchor add/rollover/verify sample script (https://go.microsoft.com/fwlink/?LinkId=187003).

TrustAnchor.ps1 is a sample script to add, rollover, or verify trust anchors for DNSSEC.  Run the script on the server where you wish to update or verify trust anchors.  The script extracts keys from a remote authoritative server, if necessary, for both rollover and verification actions. You can use this script to automate commands found in the following checklist:

Note

TrustAnchor.ps1 also allows you to verify existing trust anchors by providing a list of any trust anchors that are invalid or stale.

Usage: TrustAnchor -Action <Action> -Zone <ZoneName> -Keyset <KeysetFile>

Value Description

<Action>

The action performed by the script. Possible values are: Add, Roll, Verify.

<ZoneName>

Name of the zone for which trust anchors are to be added, rolled over, or verified.

<KeysetFile>

Name of the keyset-<ZoneName> file that was created during zone signing.

See the following examples:

    Add trust anchor:
    -Action Add -Zone <ZoneName> -Keyset <KeysetFile>

    Roll trust anchor:
    -Action Roll -Zone <ZoneName>

    Verify trust anchor:
    -Action Verify -Zone <ZoneName>

Tip

These scripts are also available for download in a .zip archive with the DNSSEC Deployment Guide (https://go.microsoft.com/fwlink/?LinkId=187201).

See Also

Concepts

Deploying DNS Security Extensions (DNSSEC)