Export (0) Print
Expand All
Expand Minimize
This topic has not yet been rated - Rate this topic

Set-DnsServerDnsSecZoneSetting

Windows Server 2012 R2 and Windows 8.1

Updated: April 8, 2014

Applies To: Windows 8.1, Windows PowerShell 4.0, Windows Server 2012 R2

Set-DnsServerDnsSecZoneSetting

Changes settings for DNSSEC for a zone.

Syntax

Parameter Set: DnsSecSetting
Set-DnsServerDnsSecZoneSetting [-ZoneName] <String> [[-DenialOfExistence] <String> ] [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-DistributeTrustAnchor <String[]> ] [-DnsKeyRecordSetTtl <TimeSpan> ] [-DSRecordGenerationAlgorithm <String[]> ] [-DSRecordSetTtl <TimeSpan> ] [-EnableRfc5011KeyRollover <Boolean> ] [-NSec3HashAlgorithm <String> ] [-NSec3Iterations <UInt16> ] [-NSec3OptOut <Boolean> ] [-NSec3RandomSaltLength <Byte> ] [-NSec3UserSalt <String> ] [-ParentHasSecureDelegation <Boolean> ] [-PassThru] [-PropagationTime <TimeSpan> ] [-SecureDelegationPollingPeriod <TimeSpan> ] [-SignatureInceptionOffset <TimeSpan> ] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: SigningMetadata
Set-DnsServerDnsSecZoneSetting [-ZoneName] <String> [[-InputObject] <CimInstance> ] [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-PassThru] [-ThrottleLimit <Int32> ] [-Confirm] [-WhatIf] [ <CommonParameters>]




Detailed Description

The Set-DnsServerDnsSecZoneSetting cmdlet changes Domain Name System Security Extensions (DNSSEC) settings for the specified zone on a Domain Name System (DNS) server.

You can select which version of Next Secure (NSEC) to use to provide authenticated denial of existence. Set the DenialOfExistence parameter to NSec or NSec3. If you use NSec3, you can use either random salt or user-defined salt.

When using the SigningMetadata parameter set, the cmdlet takes CimInstance#DnsServerZoneSigningMetadata as an input object. You can use this cmdlet with Get-DnsServerDnsSecZoneSetting to import the DNSSEC metadata of a zone from one DNS server to another DNS server.

Parameters

-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete. The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet. For more information about Windows PowerShell® background jobs, see about_Jobs.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CimSession<CimSession[]>

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.


Aliases

Session

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ComputerName<String>

Specifies a DNS server. If you do not specify this parameter, the command runs on the local system. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified domain name (FQDN), host name, or NETBIOS name.


Aliases

Cn

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-DenialOfExistence<String>

Specifies which version of NSEC to use. A DNS server uses this setting to provide signed proof of an unregistered name.

The acceptable values for this parameter are: 

-- NSec
-- NSec3


Aliases

none

Required?

false

Position?

3

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DistributeTrustAnchor<String[]>

Specifies an array of trust anchors that a DNS server distributes in Active Directory® Domain Services. DNS servers do not distribute trust anchors by default. If the DNS server is not also a domain controller, it adds trust anchors only to the local trust anchor store.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DnsKeyRecordSetTtl<TimeSpan>

Specifies a time-span object that represents the Time to Live (TTL) value of a DNS key record.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DSRecordGenerationAlgorithm<String[]>

Specifies an array of cryptographic algorithms for domain service records. The acceptable values for this parameter are: 

-- Sha1
-- Sha256
-- Sha384


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-DSRecordSetTtl<TimeSpan>

Specifies a TTL time span for the set of domain service records. The default value is the same as the TTL for the zone.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-EnableRfc5011KeyRollover<Boolean>

Specifies whether a server uses RFC 5011 key rollover.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-InputObject<CimInstance>

Specifies the input to this cmdlet. You can use this parameter, or you can pipe the input to this cmdlet.


Aliases

none

Required?

false

Position?

3

Default Value

none

Accept Pipeline Input?

True (ByValue)

Accept Wildcard Characters?

false

-NSec3HashAlgorithm<String>

Specifies an NSEC3 hash algorithm. The only possible value is RsaSha1.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NSec3Iterations<UInt16>

Specifies a number of NSEC3 hash iterations to perform when it signs a DNS zone. The default value is 50.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NSec3OptOut<Boolean>

Specifies whether to sign the DNS zone by using NSEC opt-out. The default value is $False.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NSec3RandomSaltLength<Byte>

Specifies the length of a salt value. The default length is 8.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-NSec3UserSalt<String>

Specifies a user salt string. The default value is Null or -.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ParentHasSecureDelegation<Boolean>

Specifies whether a parent has secure delegation for a zone. The default value is $False.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PropagationTime<TimeSpan>

Specifies a propagation time as a time-span object. This is the expected time required to propagate zone changes. The default value is 2 days.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-SecureDelegationPollingPeriod<TimeSpan>

Specifies a delegation polling period as a time-span object. This is the time between polling attempts for key rollovers for child zones. The default value is 12 hours.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-SignatureInceptionOffset<TimeSpan>

Specifies the signature inception as a time-span object. This value is how far in the past DNSSEC signature validity periods begin. The default value is one hour.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ThrottleLimit<Int32>

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ZoneName<String>

Specifies the name of a DNS zone.


Aliases

none

Required?

true

Position?

2

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

Outputs

The output type is the type of the objects that the cmdlet emits.

  • Microsoft.Management.Infrastructure.CimInstance#DnsServerDnsSecZoneSetting

    The DnsServerDnsSecZoneSetting object contains the following fields:

    --DenialOfExistence
    --DistributeTrustAnchor
    --DnsKeyRecordSetTtl
    --DSRecordGenerationAlgorithm
    --DSRecordSetTtl
    --EnableRfc5011KeyRollover
    --IsKeyMasterServer
    --KeyMasterServer
    --KeyMasterStatus
    --NSec3HashAlgorithm
    --NSec3Iterations
    --NSec3OptOut
    --NSec3RandomSaltLength
    --NSec3UserSalt
    --ParentHasSecureDelegation
    --PropagationTime
    --SecureDelegationPollingPeriod
    --SignatureInceptionOffset
    --ZoneName


Examples

Example 1: Modify RFC 5011 settings

This command modifies RFC 5011 settings for a zone named west01.contoso.com. The example uses the PassThru parameter to produce output and the Verbose parameter to include all output.


PS C:\> Set-DnsServerDnsSecZoneSetting -ZoneName "west01.contoso.com" -EnableRfc5011KeyRollover $true -PassThru -Verbose
VERBOSE: Modifies the DNSSEC properties for the zone west01.contoso.com on server Server01. 
VERBOSE: RFC5011KeyRollovers successfully set on server Server01.
ZoneName : west01.contoso.com
IsKeyMasterServer : True
KeyMasterServer : Server01.west01.contoso.com
KeyMasterStatus : Online
DenialOfExistence : NSec3
NSec3HashAlgorithm : RsaSha1
NSec3Iterations : 50
NSec3OptOut : False
IsNSec3SaltConfigured : True
NSec3RandomSaltLength : 8
NSec3UserSalt : -
DnsKeyRecordSetTTL : 01:00:00
DSRecordSetTTL : 01:00:00
DSRecordGenerationAlgorithm : {Sha1, Sha256}
DistributeTrustAnchor : {None}
EnableRfc5011KeyRollover : True
ParentHasSecureDelegation : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime : 2.00:00:00
SignatureInceptionOffset : 01:00:00

Example 2: Import DNSSEC signing metadata

This command uses the Get-DnsServerDnsSecZoneSetting cmdlet to get the DNSSEC signing metadata, that includes KSK metadata, from the DNS server named KeyMaster01 in the zone named contoso.com. The command passes the DNSSEC signing metadata to the current cmdlet by using the pipeline operator. The command sets the DNSSEC signing metadata on the non-key master primary server named EdgeServer01. If the zone on the server is not already signed, the command initiates signing on the server by using zone signing keys.


PS C:\> Get-DnsServerDnsSecZoneSetting -SigningMetadata -ZoneName "contoso.com" -IncludeKSKMetadata -ComputerName "KeyMaster01" | Set-DnsServerDnsSecZoneSetting -ComputerName "EdgeServer01"

Related topics

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.