Reviewing our DNS settings, it appeared DNSSEC was partially deployed/enabled but doesn't seem completed.
It appears that Rollover was started but not completing and that trust anchors were not created.
We have attempted to force the rollover with "Invoke-DnsServerSigningKeyRollover" and get "Failed to initiate rollover for the signing key."
There was an attempt to add new KSK and ZSK keys with the hope we could remove the stuck keys, but the retire option remains greyed out. We currently have 2 keys in each section.
We are trying to figure out the best option for next steps?
Can I safely Unsign the Zone without breaking DNS and start over?
Am I better off trying to finish/fix the setup by creating the trust anchors and attempting to get the key rollover to complete?
Our KSK key Rollover Status is Rollover Started (Get-DnsServerSigningKey)
KeyType : KeySigningKey
CryptoAlgorithm : RsaSha256
KeyLength : 2048
KeyStorageProvider : Microsoft Software Key Storage Provider
StoreKeysInAD : True
CurrentState : Active
IsRolloverEnabled : True
RolloverType : DoubleSignature
RolloverPeriod : 755.00:00:00
InitialRolloverOffset : 00:00:00
CurrentRolloverStatus : KskWaitingForDnsKeyTtl
NextRolloverAction : Normal
LastRolloverTime :
NextRolloverTime : 9/3/2023 6:13:19 PM
DnsKeySignatureValidityPeriod : 7.00:00:00
DSSignatureValidityPeriod : 7.00:00:00
ZoneSignatureValidityPeriod : 10.00:00:00
Our ZSK Key Rollover Status is Queued (Get-DnsServerSigningKey)
KeyType : ZoneSigningKey
CryptoAlgorithm : RsaSha256
KeyLength : 1024
KeyStorageProvider : Microsoft Software Key Storage Provider
StoreKeysInAD : True
CurrentState : Active
IsRolloverEnabled : True
RolloverType : PrePublish
RolloverPeriod : 90.00:00:00
InitialRolloverOffset : 00:00:00
CurrentRolloverStatus : Queued
NextRolloverAction : Retire
LastRolloverTime : 6/7/2019 7:32:50 PM
NextRolloverTime : 9/5/2019 7:32:50 PM
DnsKeySignatureValidityPeriod : 7.00:00:00
DSSignatureValidityPeriod : 7.00:00:00
ZoneSignatureValidityPeriod : 10.00:00:00
There is no Trust Point container listed in in DNS Manager and running "dnscmd /info /enablednssec" seems to indicate DNSSEC is not enabled.
Query result:
Dword: 0 (00000000)
Command completed successfully.
The output of "Resolve-DnsName -Server -dnssecok" matches the Microsoft example for if a zone is not signed, "such as the contoso.com zone in the following example, RRSIG records are not displayed in the output."
Name Type TTL Section IPAddress
---- ---- --- ------- ---------
contoso.com A 600 Answer 192.168.0.2
contoso.com A 600 Answer 192.168.0.3
contoso.com A 600 Answer 192.168.0.1
Name : . QueryType : OPT
TTL : 32768
Section : Additional
Data : {}
All DCs and DNS and Functional Levels are Server 2016.
I am wondering if I can safely unsign the zone without breaking DNS or am I better off trying to finish the setup by creating the trust anchors and attempting to get the key rollover to complete?
I appreciate any assistance you can offer
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
