When to Re-sign a Zone File

Updated: October 7, 2009

Applies To: Windows Server 2008 R2


This topic applies to DNSSEC in Windows Server 2008 R2. DNSSEC support is greatly enhanced in Windows Server 2012. For more information, see DNSSEC in Windows Server 2012.

The steps for re-signing the zone are identical to the steps that were originally used to sign the zone, except that it is often not necessary to generate new keys. However, you must consider the validity period used in key generation and zone signing. For more information see Key Management and Checklist: Re-sign a Zone File.

Re-signing a zone file

The re-signing of a zone is performed only under the following circumstances:

  • If data in a signed zone was added, deleted, or modified, then the zone must be re-signed to generate new signatures. New keys do not need to be generated.

  • If a child zone is signed after the parent zone has been signed, then the DS records of the child zone must be added to the parent zone and the parent zone must be re-signed. New keys do not need to be generated.

  • If keys are compromised or become invalid, new keys must be generated, and the zone must be re-signed.

  • New keys are generated when key rollover is performed. For information about available rollover mechanisms, see the following topics:


If the zone is being re-signed because it has been compromised, then you must also generate new keys.

When re-signing the zone, the input zone file must be the zone file of the currently loaded signed zone. For example, assume *zonefile\_v0.dns* is the original unsigned copy and *zonefile\_v1.dns* is the first signed copy. When you use Dnscmd.exe or DNS Manager to modify the zone, these updates are written to *zonefile\_v1.dns*. You must use *zonefile\_v1.dns* as the input when re-signing the zone and generate *zonefile\_v2.dns* as the output. If you re-sign the zone again, use *zonefile\_v2.dns* as the input.  

Providing the DS record to the parent zone

In scenarios in which the zone being signed has a parent zone that is also signed, then the Delegation Key Signer record, also known as the Delegation Signer (DS) resource record must be handed off to the owner of the parent zone. The administrator of the parent zone must then incorporate the DS record and re-sign the parent zone.

The DS set can be found in the dsset-<zone name> and keyset-<zone name> files. On the secure signing computer, it can be found in the same folder as the signed and unsigned copies of the zone. These files will be created automatically as part of the zone signing operation. The contents of the files must be provided to the administrator of the parent DNS zone.

Incorporating the DS record from a child zone

If you are the administrator of a zone whose child zone has just been signed, then you will receive a copy of the DS records from the signed child zone. Incorporate this copy into your zone and re-sign the zone.

If the child zone is signed using the Windows Server® 2008 R2 signing tool, you will receive the dsset-<zone name> and keyset-<zone name> files from the administrator of the child zone. Copy these files into the %windir%\System32\DNS on the server that is signing your zone (the parent zone) and re-sign the zone. The signing tool will use the contents of the files and will re-sign the parent zone appropriately.

See Also


Generate Key Pairs
Sign a Zone File
Appendix C: DNSSEC PowerShell Scripts