Export-DnsServerDnsSecPublicKey
Export-DnsServerDnsSecPublicKey
Exports DS and DNSKEY information for a DNSSEC–signed zone.
Syntax
Parameter Set: DnsKey
Export-DnsServerDnsSecPublicKey [-ZoneName] <String> [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-Force] [-NoClobber] [-PassThru] [-Path <String> ] [-ThrottleLimit <Int32> ] [-UnAuthenticated] [-Confirm] [-WhatIf] [ <CommonParameters>]
Parameter Set: DS
Export-DnsServerDnsSecPublicKey [-ZoneName] <String> -DigestType <String[]> [-AsJob] [-CimSession <CimSession[]> ] [-ComputerName <String> ] [-Force] [-NoClobber] [-PassThru] [-Path <String> ] [-ThrottleLimit <Int32> ] [-UnAuthenticated] [-Confirm] [-WhatIf] [ <CommonParameters>]
Detailed Description
The Export-DnsServerDnsSecPublicKey cmdlet exports delegation signer (DS) or Domain Name System public key (DNSKEY) information for a Domain Name System Security Extensions (DNSSEC)–signed zone.
Parameters
-AsJob
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-CimSession<CimSession[]>
Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ComputerName<String>
Specifies a remote DNS server. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified domain name (FQDN), host name, or NETBIOS name.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-DigestType<String[]>
Specifies an array of algorithms that the zone signing key uses to create the DS record. The acceptable values for this parameter are:
-- Sha1
-- Sha256
-- Sha384
Aliases |
none |
Required? |
true |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
True (ByPropertyName) |
Accept Wildcard Characters? |
false |
-Force
Exports the signing key without prompting you for confirmation. By default, the cmdlet prompts you for confirmation before it proceeds.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-NoClobber
Specifies that the export operation does not overwrite an existing export file that has the same name.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-PassThru
Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-Path<String>
Specifies the absolute path that the cmdlet uses to place the keyset file. The cmdlet automatically names the file according to the zone name.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
True (ByPropertyName) |
Accept Wildcard Characters? |
false |
-ThrottleLimit<Int32>
Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-UnAuthenticated
Specifies that an unauthenticated user is running this cmdlet. The provider DNS server queries for the DS or DNSKEY information and exports the required data even if you do not have permissions to run the cmdlet on the remote DNS server.
Aliases |
none |
Required? |
false |
Position? |
named |
Default Value |
none |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-ZoneName<String>
Specifies the name of the primary zone for which the cmdlet exports the signing keys.
Aliases |
none |
Required? |
true |
Position? |
2 |
Default Value |
none |
Accept Pipeline Input? |
True (ByPropertyName) |
Accept Wildcard Characters? |
false |
-Confirm
Prompts you for confirmation before running the cmdlet.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
-WhatIf
Shows what would happen if the cmdlet runs. The cmdlet is not run.
Required? |
false |
Position? |
named |
Default Value |
false |
Accept Pipeline Input? |
false |
Accept Wildcard Characters? |
false |
<CommonParameters>
This cmdlet supports the common parameters: -Verbose, -Debug, -ErrorAction, -ErrorVariable, -OutBuffer, and -OutVariable. For more information, see about_CommonParameters (https://go.microsoft.com/fwlink/p/?LinkID=113216).
Inputs
The input type is the type of the objects that you can pipe to the cmdlet.
Outputs
The output type is the type of the objects that the cmdlet emits.
- Microsoft.Management.Infrastructure.CimInstance#DnsServerResourceRecord
Examples
Example 1: Export a trust anchor to a file share
This command exports the trust anchor (DS record) for Contoso.com to a file share. A DNS administrator runs this command from the DNS server that hosts the zone Contoso.com and specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.
This command creates Keyset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -DigestType "Sha1"
Example 2: Export a trust anchor by using unauthorized access
This command exports a trust anchor (DNSKEY record) for Contoso.com to a file share. The DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com. This command specifies that the zone signing key uses the SHA-1 algorithm to create the DS record.
This command creates Keyset-Contoso.com in \\MyDNSKeyShare\keys and writes the DS record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
PS C:\> Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.contoso.com" -ZoneName "Contoso.com" - Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force -DigestType "Sha1"
Example 3: Get the trust anchors for all the signed zones
This command gets the trust anchors for all the signed zones that are hosted on the DNS server Contoso.com. In this scenario the DNS Server is currently hosting signed zones for contoso.com, dinnernow.com and hrweb.net
The command uses a Foreach-Object cmdlet to export the trust anchors and pipe the results to the Get-DnsServerZone cmdlet.
This command creates a keyset file in the share for each signed zone that is hosted on the DNS server (Keyset-Contoso.com, Keyset-Dinnernow.com, Keyset-Hrweb.net) and writes the DNSKEY record in the Microsoft.Management.Infrastructure.CimInstance#root/Microsoft/Windows/DNS/DNS/DnsServerResourceRecord format.
PS C:\> Get-DnsServerZone | ForEach-Object {Export-DnsServerDnsSecPublicKey -ComputerName "DNSDC1.Contoso.com" -ZoneName "Contoso.com" -Path "\\MyDNSKeyShare\keys" -PassThru -UnAuthorized -Force }
Example 4: Import a trust anchor to a non-authorized DN server
The first command exports the trust anchor (DNSKEY record) for Contoso.com to the specified path, and stores the results in the $publicKey variable. The UnAuthenticated parameter indicates that the DNS administrator who runs this command has no permissions to the DNS server that hosts the zone Contoso.com.
The second command adds the first trust record that was exported from Contoso.com into a non-authoritative DNS server named DNSDC1.Contoso.com.
PS C:\> $publicKey = Export-DnsServerDnssecPublicKey -ZoneName "contoso.com" -Path "C:\" -PassThru -UnAuthenticated –Force
PS C:\> $publicKey[0].RecordData | Add-DnsServerTrustAnchor -Name "constoso.com" –ComputerName "DNSDC1.Contoso.com"