Share via


Checklist: Distribute Trust Anchors

 

Applies To: Windows Server 2012 R2, Windows Server 2012

Checklist: Deploy DNSSEC > Checklist: Sign a Zone > Checklist: Distribute Trust Anchors

This checklist includes procedures to help you distribute trust anchors for a signed zone.

Before you complete the tasks in this checklist, make sure that you have performed the prerequisite tasks in the parent checklist, such as reviewing conceptual information about DNSSEC and signing a zone with the settings that you specify. You cannot distribute trust anchors until after a zone is signed with DNSSEC.

You must re-distribute trust anchors each time that a zone is re-signed unless re-signing occurs as part of an automatic key rollover and trust anchors are distributed automatically on key rollover (RFC 5011). Trust anchors can also be distributed automatically in Active Directory to all Active Directory-integrated DNS servers within the replication scope for the zone.

Note

Complete the tasks in this checklist in order. When a reference link takes you to a conceptual topic or to a subordinate checklist, return to this topic after you review the conceptual topic or after you complete the tasks in the subordinate checklist so that you can proceed with the remaining tasks in this checklist.

  Checklist: Distribute Trust Anchors

Task

Reference

Review concepts for managing trust anchors.

Trust Anchors

Enable automatic update of trust anchors on key rollover.

Procedure: Enable Automatic Update of Trust Anchors on Key Rollover

Important

Changes made to this setting do not take effect until the next automatic key rollover.

Enable distribution of trust anchors in Active Directory.

Procedure: Distribute Trust Anchors in Active Directory

Export and import trust anchors.

Procedure: Export a Trust Point

Procedure: Import a Trust Point

Manually add a trust anchor.

Procedure: Add a Trust Point

Deploy a root trust anchor.

Procedure: Deploy a Root Trust Point

See also

Overview of DNSSEC

DNSSEC in Windows

DNSSEC Deployment Planning

Appendix A: DNSSEC Terminology

Appendix B: Windows PowerShell for DNS Server