Set-DnsServerDnsSecZoneSetting

Changes settings for DNSSEC for a zone.

Syntax

Set-DnsServerDnsSecZoneSetting
   [-ZoneName] <String>
   [[-DenialOfExistence] <String>]
   [-NSec3HashAlgorithm <String>]
   [-NSec3Iterations <UInt16>]
   [-NSec3OptOut <Boolean>]
   [-NSec3RandomSaltLength <Byte>]
   [-NSec3UserSalt <String>]
   [-DistributeTrustAnchor <String[]>]
   [-EnableRfc5011KeyRollover <Boolean>]
   [-DSRecordGenerationAlgorithm <String[]>]
   [-DSRecordSetTtl <TimeSpan>]
   [-DnsKeyRecordSetTtl <TimeSpan>]
   [-SignatureInceptionOffset <TimeSpan>]
   [-SecureDelegationPollingPeriod <TimeSpan>]
   [-PropagationTime <TimeSpan>]
   [-ParentHasSecureDelegation <Boolean>]
   [-ComputerName <String>]
   [-PassThru]
   [-CimSession <CimSession[]>]
   [-ThrottleLimit <Int32>]
   [-AsJob]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]
Set-DnsServerDnsSecZoneSetting
   [-ZoneName] <String>
   [-ComputerName <String>]
   [-PassThru]
   [[-InputObject] <CimInstance>]
   [-CimSession <CimSession[]>]
   [-ThrottleLimit <Int32>]
   [-AsJob]
   [-WhatIf]
   [-Confirm]
   [<CommonParameters>]

Description

The Set-DnsServerDnsSecZoneSetting cmdlet changes Domain Name System Security Extensions (DNSSEC) settings for the specified zone on a Domain Name System (DNS) server.

You can select which version of Next Secure (NSEC) to use to provide authenticated denial of existence. Set the DenialOfExistence parameter to NSec or NSec3. If you use NSec3, you can use either random salt or user-defined salt.

When using the SigningMetadata parameter set, the cmdlet takes CimInstance#DnsServerZoneSigningMetadata as an input object. You can use this cmdlet with Get-DnsServerDnsSecZoneSetting to import the DNSSEC metadata of a zone from one DNS server to another DNS server.

Examples

Example 1: Modify RFC 5011 settings

PS C:\> Set-DnsServerDnsSecZoneSetting -ZoneName "west01.contoso.com" -EnableRfc5011KeyRollover $True -PassThru -Verbose

VERBOSE: Modifies the DNSSEC properties for the zone west01.contoso.com on server Server01. 
VERBOSE: RFC5011KeyRollovers successfully set on server Server01. 
ZoneName                      : west01.contoso.com
IsKeyMasterServer             : True
KeyMasterServer               : Server01.west01.contoso.com
KeyMasterStatus               : Online
DenialOfExistence             : NSec3
NSec3HashAlgorithm            : RsaSha1
NSec3Iterations               : 50
NSec3OptOut                   : False
IsNSec3SaltConfigured         : True
NSec3RandomSaltLength         : 8
NSec3UserSalt                 : -
DnsKeyRecordSetTTL            : 01:00:00
DSRecordSetTTL                : 01:00:00
DSRecordGenerationAlgorithm   : {Sha1, Sha256}
DistributeTrustAnchor         : {None}
EnableRfc5011KeyRollover      : True
ParentHasSecureDelegation     : False
SecureDelegationPollingPeriod : 12:00:00
PropagationTime               : 2.00:00:00
SignatureInceptionOffset      : 01:00:00

This command modifies RFC 5011 settings for a zone named west01.contoso.com. The example uses the PassThru parameter to produce output and the Verbose parameter to include all output.

Example 2: Import DNSSEC signing metadata

PS C:\> Get-DnsServerDnsSecZoneSetting -SigningMetadata -ZoneName "contoso.com" -IncludeKSKMetadata -ComputerName "KeyMaster01" | Set-DnsServerDnsSecZoneSetting -ComputerName "EdgeServer01"

This command uses the Get-DnsServerDnsSecZoneSetting cmdlet to get the DNSSEC signing metadata, that includes KSK metadata, from the DNS server named KeyMaster01 in the zone named contoso.com. The command passes the DNSSEC signing metadata to the current cmdlet by using the pipeline operator. The command sets the DNSSEC signing metadata on the non-key master primary server named EdgeServer01. If the zone on the server is not already signed, the command initiates signing on the server by using zone signing keys.

Parameters

-AsJob

Runs the cmdlet as a background job. Use this parameter to run commands that take a long time to complete.

The cmdlet immediately returns an object that represents the job and then displays the command prompt. You can continue to work in the session while the job completes. To manage the job, use the *-Job cmdlets. To get the job results, use the Receive-Job cmdlet.

For more information about Windows PowerShell background jobs, see about_Jobs.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-CimSession

Runs the cmdlet in a remote session or on a remote computer. Enter a computer name or a session object, such as the output of a New-CimSession or Get-CimSession cmdlet. The default is the current session on the local computer.

Type:CimSession[]
Aliases:Session
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ComputerName

Specifies a DNS server. If you do not specify this parameter, the command runs on the local system. You can specify an IP address or any value that resolves to an IP address, such as a fully qualified domain name (FQDN), host name, or NETBIOS name.

Type:String
Aliases:Cn
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-Confirm

Prompts you for confirmation before running the cmdlet.

Type:SwitchParameter
Aliases:cf
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-DenialOfExistence

Specifies which version of NSEC to use. A DNS server uses this setting to provide signed proof of an unregistered name.

The acceptable values for this parameter are:

  • NSec
  • NSec3
Type:String
Accepted values:NSec, NSec3
Position:2
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DistributeTrustAnchor

Specifies an array of trust anchors that a DNS server distributes in Active Directory® Domain Services. DNS servers do not distribute trust anchors by default. If the DNS server is not also a domain controller, it adds trust anchors only to the local trust anchor store.

Type:String[]
Accepted values:None, DnsKey
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DnsKeyRecordSetTtl

Specifies a time-span object that represents the Time to Live (TTL) value of a DNS key record.

Type:TimeSpan
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DSRecordGenerationAlgorithm

Specifies an array of cryptographic algorithms for domain service records. The acceptable values for this parameter are:

  • Sha1
  • Sha256
  • Sha384
Type:String[]
Accepted values:None, Sha1, Sha256, Sha384
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-DSRecordSetTtl

Specifies a TTL time span for the set of domain service records. The default value is the same as the TTL for the zone.

Type:TimeSpan
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-EnableRfc5011KeyRollover

Specifies whether a server uses RFC 5011 key rollover.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-InputObject

Specifies the input to this cmdlet. You can use this parameter, or you can pipe the input to this cmdlet.

Type:CimInstance
Position:2
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NSec3HashAlgorithm

Specifies an NSEC3 hash algorithm. The only possible value is RsaSha1.

Type:String
Accepted values:RsaSha1
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NSec3Iterations

Specifies a number of NSEC3 hash iterations to perform when it signs a DNS zone. The default value is 50.

Type:UInt16
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NSec3OptOut

Specifies whether to sign the DNS zone by using NSEC opt-out. The default value is $False.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NSec3RandomSaltLength

Specifies the length of a salt value. The default length is 8.

Type:Byte
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-NSec3UserSalt

Specifies a user salt string. The default value is Null or -.

Type:String
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ParentHasSecureDelegation

Specifies whether a parent has secure delegation for a zone. The default value is $False.

Type:Boolean
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-PassThru

Returns an object representing the item with which you are working. By default, this cmdlet does not generate any output.

Type:SwitchParameter
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-PropagationTime

Specifies a propagation time as a time-span object. This is the expected time required to propagate zone changes. The default value is 2 days.

Type:TimeSpan
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SecureDelegationPollingPeriod

Specifies a delegation polling period as a time-span object. This is the time between polling attempts for key rollovers for child zones. The default value is 12 hours.

Type:TimeSpan
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-SignatureInceptionOffset

Specifies the signature inception as a time-span object. This value is how far in the past DNSSEC signature validity periods begin. The default value is one hour.

Type:TimeSpan
Position:Named
Default value:None
Required:False
Accept pipeline input:True
Accept wildcard characters:False

-ThrottleLimit

Specifies the maximum number of concurrent operations that can be established to run the cmdlet. If this parameter is omitted or a value of 0 is entered, then Windows PowerShell® calculates an optimum throttle limit for the cmdlet based on the number of CIM cmdlets that are running on the computer. The throttle limit applies only to the current cmdlet, not to the session or to the computer.

Type:Int32
Position:Named
Default value:None
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-WhatIf

Shows what would happen if the cmdlet runs. The cmdlet is not run.

Type:SwitchParameter
Aliases:wi
Position:Named
Default value:False
Required:False
Accept pipeline input:False
Accept wildcard characters:False

-ZoneName

Specifies the name of a DNS zone.

Type:String
Position:1
Default value:None
Required:True
Accept pipeline input:True
Accept wildcard characters:False

Outputs

CimInstance

The DnsServerDnsSecZoneSetting object contains the following fields:

  • DenialOfExistence
  • DistributeTrustAnchor
  • DnsKeyRecordSetTtl
  • DSRecordGenerationAlgorithm
  • DSRecordSetTtl
  • EnableRfc5011KeyRollover
  • IsKeyMasterServer
  • KeyMasterServer
  • KeyMasterStatus
  • NSec3HashAlgorithm
  • NSec3Iterations
  • NSec3OptOut
  • NSec3RandomSaltLength
  • NSec3UserSalt
  • ParentHasSecureDelegation
  • PropagationTime
  • SecureDelegationPollingPeriod
  • SignatureInceptionOffset
  • ZoneName