Export (0) Print
Expand All
Expand Minimize

Export-DnsServerDnsSecPublicKey

Updated: January 17, 2013

Applies To: Windows Server 2012

Export-DnsServerDnsSecPublicKey

Exports DS and DNSKEY information for a DNSSEC–signed zone.

Syntax

Parameter Set: DnsKey
Export-DnsServerDnsSecPublicKey [-ZoneName] <String> [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-Force] [-NoClobber] [-PassThru] [-Path <String> ] [-ThrottleLimit <Int32> ] [-UnAuthenticated] [-Confirm] [-WhatIf] [ <CommonParameters>]

Parameter Set: DS
Export-DnsServerDnsSecPublicKey [-ZoneName] <String> -DigestType <String[]> [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-Force] [-NoClobber] [-PassThru] [-Path <String> ] [-ThrottleLimit <Int32> ] [-UnAuthenticated] [-Confirm] [-WhatIf] [ <CommonParameters>]




Detailed Description

The Export-DnsServerDnsSecPublicKey cmdlet exports delegation signer (DS) or Domain Name System public key (DNSKEY) information for a Domain Name System Security Extensions (DNSSEC)–signed zone.

Parameters

-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete. The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet. For more information about Windows PowerShell® background jobs, see about_Jobs.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-CimSession<CimSession[]>

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ComputerName<String>

Specifies a remote DNS server. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified domain name (FQDN), host name, or NETBIOS name.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-DigestType<String[]>

Specifies an array of algorithms that the zone signing key uses to create the DS record. The acceptable values for this parameter are: 
-- Sha1
-- Sha256
-- Sha384


Aliases

none

Required?

true

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-Force

Exports the signing key without prompting you for confirmation. By default, the cmdlet prompts you for confirmation before it proceeds.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-NoClobber

Specifies that the export operation does not overwrite an existing export file that has the same name.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-Path<String>

Specifies the absolute path that the cmdlet uses to place the keyset file. The cmdlet automatically names the file according to the zone name.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-ThrottleLimit<Int32>

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-UnAuthenticated

Specifies that an unauthenticated user is running this cmdlet. The provider DNS server queries for the DS or DNSKEY information and exports the required data even if you do not have permissions to run the cmdlet on the remote DNS server.


Aliases

none

Required?

false

Position?

named

Default Value

none

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-ZoneName<String>

Specifies the name of the primary zone for which the cmdlet exports the signing keys.


Aliases

none

Required?

true

Position?

2

Default Value

none

Accept Pipeline Input?

True (ByPropertyName)

Accept Wildcard Characters?

false

-Confirm

Prompts you for confirmation before running the cmdlet.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.


Required?

false

Position?

named

Default Value

false

Accept Pipeline Input?

false

Accept Wildcard Characters?

false

<CommonParameters>

This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see    about_CommonParameters.

Inputs

The input type is the type of the objects that you can pipe to the cmdlet.

Outputs

The output type is the type of the objects that the cmdlet emits.

  • Microsoft.Management.Infrastructure.CimInstance#DnsServerResourceRecord

Examples

Example 1: Export a trust anchor to a file share

This command exports the trust anchor (DS record) for Contoso.com to a file share. A DNS administrator runs this command from the DNS server that hosts the zone Contoso.com and specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.

This command creates Keyset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.


PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -DigestType "Sha1"
Exporting a trust anchor without using authentication is insecure unless DNSSEC is active on "${ComputerName}", a trust anchor covering "${ZoneName}" is installed, and the connection between the local machine and "${ComputerName}" is secure. Consider alternative means of exporting the trust anchors, such as the DNSCMD protocol, email, or HTTPS. Proceed? [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y

Example 2: Export a trust anchor by using unauthorized access

This command exports a trust anchor (DNSKEY record) for Contoso.com to a file share. The DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com. This command specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.

This command creates Keyset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.


PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.contoso.com" -ZoneName "Contoso.com" - Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force -DigestType "Sha1"
Exporting a trust anchor without using authentication is insecure unless DNSSEC is active on "${ComputerName}", a trust anchor covering "${ZoneName}" is installed, and the connection between the local machine and "${ComputerName}" is secure. Consider alternative means of exporting the trust anchors, such as the DNSCMD protocol, email, or HTTPS. Proceed? [Y] Yes  [A] Yes to All  [N] No  [L] No to All  [S] Suspend  [?] Help (default is "Y"): Y
Note: User typing N exits out of the command with no export or output

Example 3: Get the trust anchors for all the signed zones

This command gets the trust anchors for all the signed zones that are hosted on the DNS server Contoso.com. In this scenario the DNS Server is currently hosting signed zones for contoso.com, dinnernow.com and hrweb.net

The command uses a Foreach-Object cmdlet to export the trust anchors and pipe the results to the Get-DnsServerZone cmdlet.


This command creates a keyset file in the share for each signed zone that is hosted on the DNS server (Keyset-Contoso.com, Keyset-Dinnernow.com, Keyset-Hrweb.net) and writes the DNSKEY record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.


PS C:\> Get-DnsServerZone | ForEach-Object {Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force  }

Example 4: Import a trust anchor to a non-authorized DN server

The first command exports the trust anchor (DNSKEY record) for Contoso.com to the specified path, and stores the results in the $publicKey variable. The UnAuthenticated parameter indicates that the DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com.

The second command adds the first trust record that was exported from Contoso.com into a non-authoritative DNS server named DNSDC1.Contoso.com.


PS C:\> $publicKey = Export-DnsServerDnssecPublicKey -ZoneName "contoso.com" -Path "C:\" -PassThru -UnAuthenticated –Force
PS C:\> $publicKey[0].RecordData | Add-DnsServerTrustAnchor -Name "constoso.com" –ComputerName "DNSDC1.Contoso.com"

Related topics

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft