Enable DNSSEC for a DNS Zone in Azure with AZ PowerShell

Andres Bohren
Enable DNSSEC for a DNS Zone in Azure with AZ PowerShell

Hi All,

Recently i’ve blogged about Azure DNS finally supports DNSSEC (Preview).

Today i want to show you how to enable DNSSEC on a Zone hosted in Azure by using the AZ PowerShell

Connect to Azure and list the Azure DNS Zones

Connect-AzAccount -Tenant icewolfch.onmicrosoft.com
Get-AzDnsZone -ResourceGroupName rg_prod | ft name, ZoneType, ResourceGroupName, SigningKeys

List a specific Zone (it is DNSSEC Enabled)

Get-AzDnsDnssecConfig -ResourceGroupName rg_prod -ZoneName icewolf.ch

List a specific Zone (it is not DNSSEC Enabled)

Get-AzDnsDnssecConfig -ResourceGroupName rg_prod -ZoneName serveralive.ch

Enable DNSSEC for the Zone

New-AzDnsDnssecConfig -ResourceGroupName rg_prod -ZoneName serveralive.ch

Let’s check again. Sadly you can’t see that it’s signed but not delegated

Get-AzDnsDnssecConfig -ResourceGroupName rg_prod -ZoneName serveralive.ch

Let’s check in Azure Portal

Let’s check with Verisign Labs DNSSEC. As you can see there is a missing DS Record for the Domain on the parent Zone (.ch in this case).

Now you have to add the DS Record to the Parent Zone. This is diffrent for every DNS Provider.

Adding the Info from New-AzDnsDnssecConfig

Let’s check with Verisign Labs DNSSEC.

Regards
Andres Bohren

Azure Logo

PowerShell Logo

Security Logo