Procedure: Use Default Settings to Sign the Zone
Applies To: Windows Server 2012 R2, Windows Server 2012
Use the following procedures to sign a zone with default settings. Procedures are provided using the DNS Manager console and Windows PowerShell. When you have completed the procedures in this topic, return to the parent checklist.
Also see DNS Zones for additional information about zone signing and DNSSEC parameter values.
Choose DNS Manager or Windows PowerShell to sign the zone with default parameter values:
Sign a zone using default parameters in DNS Manager
The Zone Signing Wizard is used to sign a zone in DNS Manager. For examples of the wizard, see Zone Signing Wizard.
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To sign a zone using default parameters in DNS Manager
Open DNS Manager on a primary, authoritative DNS server, or connect to a primary, authoritative DNS server with DNS Manager.
In the console tree, right-click an unsigned zone, point to DNSSEC, and then click Sign the Zone.
Click Next, on the Signing Options page choose Use default settings to sign the zone, and then click Next.
You can review current choices for all DNSSEC parameter values on this page. Click Back to configure different parameter values, click Cancel to close the zone signing wizard without signing the zone, or click Next to begin signing the zone.
Verify that The zone has been successfully signed is displayed, and then click Finish.
Sign a zone using default parameters in Windows PowerShell
Membership in the Administrators group, or equivalent, is the minimum required to complete these procedures. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
In the Windows PowerShell commands that are used, replace secure.contoso.com with the name of the zone you wish to sign with DNSSEC. Also replace the example computer names with names of the DNS servers you will use.
To sign a zone using default parameters in Windows PowerShell
Open an elevated Windows PowerShell prompt on a primary, authoritative DNS server.
To sign the zone with default parameters, use the Invoke-DnsServerZoneSign cmdlet with the SignWithDefault parameter. See the following example:
Invoke-DnsServerZoneSign -ZoneName secure.contoso.com –SignWithDefault -ForceIn this example, the Force parameter is used to skip confirmation and immediately sign the zone. If you do not use the Force parameter, the default zone signing parameter values are displayed and you must confirm that you wish to sign the zone.
By default, the local DNS server will be the Key Master.