Home/ Questions/Q 9248197
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-18T09:53:54+00:00

The following does simply not work: Remove-DnsServerSigningKey -KeyId $key.KeyId -ZoneName $zonename -Force Where $zonename

  • 0

The following does simply not work:

Remove-DnsServerSigningKey -KeyId $key.KeyId -ZoneName $zonename -Force

Where $zonename is a valid zone, and the key-id exists and is valid.
This command works if i first unsign a zone, but i want to do this just after a resign.

Logic:

  • grab all current zone signing keys
  • Add one new ZSK
  • Resign the zone with the new ZSK
  • Sleep for 3 seconds (just for a grace period)
  • Loop through all previous keys (at this point, the new key is not in the list)
    • Delete previous key

When trying to delete previous keys i get:

Remove-DnsServerSigningKey : Failed to delete the signing key __[Key-ID]__ for the zone __[Key-ID]__ on server __[Server-addr]__ Please check 
extended error for additional details.
At C:\Users\Administrator\Desktop\dnssec.ps1:79 char:13
+             Remove-DnsServerSigningKey -KeyId $key.KeyId -ZoneName $zonename -Fo ...
+             ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (__[Key-Id]__:root/Microsoft/...erverSigningKey) [Remove-DnsServerSigningKey], CimException
    + FullyQualifiedErrorId : WIN32 9119,Remove-DnsServerSigningKey

The code looks like this:

function resign {
    param(
        [string]$zonename
    )
    $zonename + " <- Re-Signing"

    ## Grab all current keys (incl active ones)
    $keys = Get-DnsServerSigningKey -ZoneName $zonename

    $zonename + " <- Creating new ZSK"
    #Add a new ZSK 
    Add-DnsServerSigningKey -ZoneName $zonename -ComputerName 127.0.0.1 -CryptoAlgorithm RsaSha256 -Type ZoneSigningKey

    #Resign the zone with the newly added key 
    Invoke-DnsServerZonesign -ZoneName $zonename –DoResign -Force

    Start-Sleep -s 1

    # After the resign, we delete all previous ZONE signing keys (but keep KSK)
    $zonename + " <- Removing ZSKeys"
    foreach ($key in $keys) {
        if ($key.KeyType -eq "ZoneSigningKey") {
            Remove-DnsServerSigningKey -ComputerName 127.0.0.1 -ZoneName $zonename -KeyId $key.KeyId -Force
        }
    }
}

Notabel might be that if i Unsign the zone completely and run the same delete-keys code, it works. It’s just when resigning a zone that it doesn’t work.
The key i’m trying to delete is of type ZoneSigningKey and not KeySigningKey (verified).

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Solved this by, in short, removing the signed zone,
    deleting the old ZSK and keeping the old KSK, generating a new ZSK and signed the zone again.

    Basically i called unsign and sign again within resign.. it’s ugly and not the way it’s intended to work.. but it works..

    • 0