Share via

What is the EnableDnsSec property from the Get-DnsServerSetting cmdlet

Mishaua 741 Reputation points
2022-12-02T00:15:36.207+00:00

What is the EnableDnsSec property from the Get-DnsServerSetting cmdlet and is it set somewhere in the gui? I have several ad integrated dc\dns member servers in a domain and on one of them (a 2016 server as opposed to the other 2021r2 servers) the EnableDnsSec is set to false. In theory they should all be the same?

Windows for business | Windows Client for IT Pros | Directory services | Active Directory
Windows for business | Windows Client for IT Pros | Networking | Network connectivity and file sharing
Windows for business | Windows Server | User experience | PowerShell
0 comments

6 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rich Matheisen 47,901 Reputation points
    2022-12-02T02:55:40.37+00:00

    In theory, yes they should all be configured the same. Yes, you can set this using the UI.

    In actual use, a DNS client (or other server) receives the same an address information from the query. What's missing from the process if the information is received from a zone not using DNSSEC is the ability to verify that the answer came from the correct source. DNSSEC is there to prevent DNS spoofing and using date created by cache poisoning.

    See here for more information: dn593694(v=ws.11)

    0 comments
  2. Mishaua 741 Reputation points
    2022-12-02T23:24:49.913+00:00

    How do I see it via the gui? So if the EnableDnsSec property of a Get-DnsServerSetting is set to True, at least one zone from a get-dnsserverzone output should have property issigned as true?

    0 comments
  3. Rich Matheisen 47,901 Reputation points
    2022-12-03T19:51:57.807+00:00

    Before you can enable DNSSEC you have to add a "Trust Point" which will add the key used to produce the signature in the new DNS records that are used to validate the contents of the associated resource record.

    It sounds to me that you need help understanding DNSSEC, not how to accomplish the task using PowerShell.

    FYI, you can find the "Trust Points" in the hierarchy beneath the server in the GUI.

    0 comments
  4. Mishaua 741 Reputation points
    2022-12-04T00:05:27.283+00:00

    The thing that I am trying to solve is this: I have lets say 5 domain controllers in a domain. They are all running Ad integrated dns. On 4 of the servers EnableDnsSec property of a Get-DnsServerSetting is set to True. These 4 dcs are server 2012r2. On the fifth dc the EnableDnsSec property of a Get-DnsServerSetting is set to false. This server is a newer server 2016. When I run get-dnsserverzone on all the dcs all the zones return a false for the issigned property so that should mean dnssec even if enabled somewhere is not used. I am trying to figure out the reason for the discrepancy between the 4 servers with the setting set to true and the one set to false. I know I can probably enable it via a set-dnsserversetting but I want to know where it is enabled on the other servers to understand why it is enabled.

    0 comments
  5. Mishaua 741 Reputation points
    2022-12-05T19:35:55.98+00:00

    I guess in the gui in 2016 the setting is missing. Only able to set via command line and powershell https://serverfault.com/questions/862378/dnssec-broken-in-windows-2016s-dns-server

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.