Checklist: Re-sign a Zone File

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

This checklist provides links to important procedures you can use to re-sign a zone file.


If you re-sign a zone using the same parameters that you used previously, the validity period is automatically extended. To shorten the validity period and force key rollover, change the ValidTo date.


When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

Checklist: Re-sign a Zone File

Task Reference

Review requirements to determine whether or not to generate new key pairs.

When to Re-sign a Zone File

Generate new key pairs for key rollover.

Generate Key Pairs

Back up the private keys.

Back Up Private Keys

Sign the zone file.

Sign a Zone File

Reload the signed zone file.

Reload a Zone File

See Also


Checklist: Signing a Zone
Appendix C: DNSSEC PowerShell Scripts