Share via


Procedure: Export a Trust Point

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Use the following procedures to export a trust point from a DNS server.

When you sign a zone on a DNS server running Windows Server 2008 R2, the DNSKEY RRSET (also called the Keyset) is saved on the local server. When you sign a zone on a DNS server running Windows Server 2012 or later, the DNSKEY RRSET and the DS RRSET (also called the DSSET) are automatically saved in a text file on the Key Master. By default these files are available in the %windir%\system32\dns directory.

For more information about trust points, see Trust Anchors.

Procedures are provided using the File Explorer and Windows PowerShell. You cannot export a trust point using DNS Manager. When you have completed the procedures in this topic, return to the parent checklist.

Choose File Explorer or Windows PowerShell to perform this procedure:

Export a trust point using File Explorer

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To export a trust point using File Explorer

  1. Open File Explorer on the server where you wish to export the trust point, or connect to the DNS server from another location using File Explorer. The server must be the Key Master for the DNSSEC-signed zone.

  2. Navigate to the %windir%\system32\dns directory on the server.

    If the trust point that you wish to export is a KEYSET (DNSKEY), then locate the keyset-<zone.name.com> file. For example: keyset-secure.contoso.com. If the trust point that is available is a DSSET (DS), then locate the dsset-<zone.name.com> file. For example: dsset-secure.contoso.com.

    Tip

    If File Explorer is currently configured (on the View menu) not to display file name extensions, then the file names will appear to be their missing “.com” suffix.

  3. Copy (do not move) the KEYSET—or DSSET—file to a trusted location where it can be imported to other DNS servers. For example, you might wish to copy files to a network share, USB flash drive, or other storage device.

Export a trust point using Windows PowerShell

Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To use the Windows PowerShell examples that are provided, replace server and zone names with the names you will use in your environment.

To export a trust point using Windows PowerShell

  1. Open an elevated Windows PowerShell prompt on the server where you wish to import the trust point.

  2. To export a trust point, use the Export-DnsServerDnsSecPublicKey cmdlet. See the following example.

    Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com -Path \\Myshare\keys
    

    In this example, a DNSKEY trust anchor for the zone secure.contoso.com is exported from the primary, authoritative DNS server DC2.contoso.com. The \\Myshare\keys location must be accessible from DC2.contoso.com. To export a DS trust anchor, add the DigestType parameter. See the following example.

    Export-DnsServerDnsSecPublicKey -ComputerName DC2.contoso.com -ZoneName secure.contoso.com -Path \\Myshare\keys -DigestType sha1
    

After exporting DNSKEY or DS trust anchors, text files will be saved in the location specified by the Path parameter. You can use these file to import a trust anchor on another DNS server. For more information about importing a trust anchor, see Procedure: Import a Trust Point.

See also

DNSSEC in Windows

DNSSEC Deployment Planning