Distribute Trust Anchors

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The trust anchor for given zone is found in the keyset-<zone name> file on the secure signing computer in the same location where the signed and unsigned copies of the zone reside. This file is created automatically as part of the signing process.


Trust anchors are required on all non-authoritative DNS servers that will perform DNSSEC validation of data from a signed zone.

To distribute trust anchors, transfer the keyset-<zone name> file to each DNS server that will perform validation for data from the signed zone.

You can store the trust anchor in Active Directory and replicate it forest-wide by transferring the trust anchor to one DNS server per forest. This option is only available if the DNS server is running on a domain controller.

Membership in the Administrators group, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

Distributing trust anchors

  • Using the Windows interface

  • Using a command line

To add the trust anchor using the Windows interface:

  1. Click Start, click Run, type dnsmgmt.msc, and then press ENTER. The DNS Manager console will open.

  2. In the console tree, right-click the name of the DNS server and then click Properties.

  3. On the Trust Anchors tab, click Add.

  4. Under Name, type the name of the signed zone.

  5. Do not change the settings for Protocol (DNSSEC) and Algorithm (RSA/SHA-1).

  6. Paste the public key of the signed zone into Public Key. The Zone Signing Key and Secure Entry Point check boxes must be selected for the KSK. Select only the Zone Signing Key check box for the ZSK.


It is not necessary to configure a trust anchor for a signed zone on the server that is authoritative for the same zone.

To add the trust anchor using the command line

  1. Copy information from the keyset-<zone name> file found on the secure signing computer. This file has the following format:

    <zone name> <TTL> IN DNSKEY <Flags> 3 5 <Base64Data>; key tag = <key tag>
  2. Open an elevated command prompt, type the following command, and then press ENTER.

    DnsCmd /TrustAnchorAdd <zone name> DNSKEY <Flags> 3 5 <Base64Data>
Value Description


The command-line tool for managing DNS servers.


Required. Used with <zone name> to specify the signed zone to be associated with a trust anchor.

<zone name>

Required. The FQDN of the signed zone.


Required. The flags in DNSKEY (ex: 257).


Required. A base-64 encoded text string.

See Also


Checklist: Configuring and Distributing Trust Anchors