Edit

Share via

Get-DnsServerDnsSecZoneSetting

Module:
DnsServer Module

Gets DNSSEC settings for a zone.

Syntax

DnsSecSetting (Default) 

Get-DnsServerDnsSecZoneSetting
    [-ZoneName] <String[]>
    [-ComputerName <String>]
    [-CimSession <CimSession[]>]
    [-ThrottleLimit <Int32>]
    [-AsJob]
    [<CommonParameters>]

SigningMetadata 

Get-DnsServerDnsSecZoneSetting
    [-ZoneName] <String[]>
    [-ComputerName <String>]
    [-SigningMetadata]
    [-IncludeKSKMetadata]
    [-CimSession <CimSession[]>]
    [-ThrottleLimit <Int32>]
    [-AsJob]
    [<CommonParameters>]

Description

The Get-DnsServerDnsSecZoneSetting cmdlet gets the Domain Name System Security Extensions (DNSSEC) settings for a zone on a Domain Name System (DNS) server.

If you specify the SigningMetaData parameter, the cmdlet outputs a signing metadata object that contains all the configuration information about the zone signing. You can use this object to import the configuration for zone signing to another server by using the Set-DnsServerDnsSecZoneSetting cmdlet.

Examples

Example 1: Get DNSSEC settings

PS C:\> Get-DnsServerDnsSecZoneSetting -ZoneName "western.contoso.com"
ZoneName                      : western.contoso.com
IsKeyMasterServer             : True
KeyMasterServer               : root
KeyMasterStatus               : Online
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
IsNSec3SaltConfigured         : True
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DnsKeyRecordSetTTL            : 01:00:00
DSRecordSetTTL                : 01:00:00
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DistributeTrustAnchor         : {None}
EnableRfc5011KeyRollover      : False
ParentHasSecureDelegation     : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 00:00:00
SignatureInceptionOffset      : 01:00:00

This command gets the DNS Security Extensions for the zone named western.contoso.com.

Example 2: Get DNSSEC setting with signing metadata

PS C:\> Get-DnsServerDnsSecZoneSetting -SigningMetadata -ZoneName western.contoso.com
DnsSecResourceRecords         : {DnsServerResourceRecord, DnsServerResourceRecord, DnsServerResourceRecord, DnsServerResourceRecord...}
DnsSecZoneSetting             : DnsServerDnsSecZoneSetting
KeyExtendedInformation        : {DnsServerSigningKeyExtendedInformation}
PSComputerName                :
ZoneName                      : western.contoso.com
IsSigned                      : True
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DistributeTrustAnchor         : None
EnableRfc5011KeyRollover      : True
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DSRecordSetTtl                : 01:00:00
DnsKeyRecordSetTtl            : 01:00:00
SignatureInceptionOffset      : 01:00:00
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 00:00:00
ParentHasSecureDelegation     : False
NSec3CurrentSalt              : 64A9522428558341
CurrentRollingSkdGuid         : 92491d13-f777-4d48-a9b6-6625cfd5cb9e

This command gets the DNS Security Extensions signing metadata for the zone named western.contoso.com. The metadata returned can be imported on a non-key master server to begin signing with enhanced key management for file-backed zones.

Example 3: Get DNSSEC settings with signing metadata and key signing key information

PS C:\> Get-DnsServerDnsSecZoneSetting -SigningMetadata -ZoneName "western.contoso.com" -IncludeKSKMetadata
DnsSecResourceRecords         : {DnsServerResourceRecord, DnsServerResourceRecord, DnsServerResourceRecord, DnsServerResourceRecord...}
DnsSecZoneSetting             : DnsServerDnsSecZoneSetting
KeyExtendedInformation        : {DnsServerSigningKeyExtendedInformation, DnsServerSigningKeyExtendedInformation}
PSComputerName                :
ZoneName                      : western.contoso.com
IsSigned                      : True
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DistributeTrustAnchor         : None
EnableRfc5011KeyRollover      : True
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DSRecordSetTtl                : 01:00:00
DnsKeyRecordSetTtl            : 01:00:00
SignatureInceptionOffset      : 01:00:00
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 00:00:00
ParentHasSecureDelegation     : False
NSec3CurrentSalt              : 64A9522428558341
CurrentRollingSkdGuid         : 92491d13-f777-4d48-a9b6-6625cfd5cb9e

This command gets the DNS Security Extensions signing metadata and key signing key information for the zone named western.contoso.com. The metadata returned can be imported on a non-key master server to begin signing with enhanced key management for file-backed zones.

Parameters

-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.

The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet.

For more information about Windows PowerShell background jobs, see about_Jobs.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-CimSession

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Parameter properties

Type:

CimSession[]

Default value:None
Supports wildcards:False
DontShow:False
Aliases:Session

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ComputerName

Specifies a DNS server. If you do not specify this parameter, the command runs on the local system. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified ___domain name (FQDN), host name, or NETBIOS name.

Parameter properties

Type:String
Default value:None
Supports wildcards:False
DontShow:False
Aliases:Cn

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-IncludeKSKMetadata

Indicates that the cmdlet includes KSK metadata in the output object. You can import the output object that contains the KSK metadata on another server. If the server that imports the input object requires the Key Master role, the server can seize the Key Master role. If the output object does not contain the KSK metadata, the server that imports the output object cannot seize the key Master Role while retaining the existing keys, and you must resign the whole zone with new keys.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

SigningMetadata
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-SigningMetadata

Indicates that the cmdlet includes all signing metadata in the output object.

Parameter properties

Type:SwitchParameter
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

SigningMetadata
Position:Named
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ThrottleLimit

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.

Parameter properties

Type:Int32
Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:Named
Mandatory:False
Value from pipeline:False
Value from pipeline by property name:False
Value from remaining arguments:False

-ZoneName

Specifies an array of names of DNS zones.

Parameter properties

Type:

String[]

Default value:None
Supports wildcards:False
DontShow:False

Parameter sets

(All)
Position:1
Mandatory:True
Value from pipeline:False
Value from pipeline by property name:True
Value from remaining arguments:False

CommonParameters

This cmdlet supports the common parameters: -Debug, -ErrorAction, -ErrorVariable, -InformationAction, -InformationVariable, -OutBuffer, -OutVariable, -PipelineVariable, -ProgressAction, -Verbose, -WarningAction, and -WarningVariable. For more information, see about_CommonParameters.

Outputs

CimInstance

The DnsServerDnsSecZoneSetting object contains the following fields:

  • DenialOfExistence
  • DistributeTrustAnchor
  • DnsKeyRecordSetTtl
  • DSRecordGenerationAlgorithm
  • DSRecordSetTtl
  • EnableRfc5011KeyRollover
  • IsKeyMasterServer
  • KeyMasterServer
  • KeyMasterStatus
  • NSec3HashAlgorithm
  • NSec3Iterations
  • NSec3OptOut
  • NSec3RandomSaltLength
  • NSec3UserSalt
  • ParentHasSecureDelegation
  • PropagationTime
  • SecureDelegationPollingPeriod
  • SignatureInceptionOffset
  • ZoneName

If you specify the SigningMetadata parameter, the object returned is of type DnsServerZoneSigningMetadata {

  • DnsServerDnsSecZoneSetting DnsSecZoneSetting
  • DnsServerSigningKeyExtendedInformation [] KeyExtendedInformation
  • DnsServerResourceRecord[] DnsSecRecords

}

DnsServerDnsSecZoneSetting {

  • String ZoneName
  • Bool DenialOfExistence
  • Bool NSec3HashAlgorithm
  • Integer NSec3Iterations
  • Bool NSec3OptOut
  • Integer NSec3RandomSaltLength
  • String NSec3UserSalt
  • String[] DistributeTrustAnchor
  • Bool EnableRfc5011KeyRollover
  • String[] DSRecordGenerationAlgorithm
  • Bool ParentHasSecureDelegation
  • DateTime DsRecordSetTtl
  • DateTime DnsKeyRecordSetTtl
  • DateTime SignatureInceptionOffset
  • DateTime SecureDelegationPollingPeriod
  • DateTime PropagationTime
  • Bool IsKeyMasterServer
  • String KeyMasterServer
  • String KeyMasterStatus
  • Bool IsSigned
  • String NSec3CurrentSalt
  • String CurrentRollingSkdGuid

}

DnsServerSigningKeyOpState {

  • Integer CurrentRolloverState
  • Bool ManualTrigger
  • Integer PreRollEventFired
  • TimeSpan NextKeyGenerationTime
  • DnsServerResourceRecordDnsKey[] RevokedOrSwappedDnsKeys
  • DnsServerResourceRecordDnsKey[] FinalDnsKeys
  • Integer ActiveKeyScope
  • Integer StandbyKeyScope
  • Integer NextKeyScope

}

DnsServerSigningKeyExtendedInformation {

  • DnsServerSigningKey SigningKey
  • DnsServerSigningKeyOpState SigningKeyOpState }