Prev Question
Next Question

You need to verify whether a DNS response from a DNS server is signed by DNSSEC.
What should you run?

A. nslookup.exe

B. dnscmd.exe

C. Resolve-DNSName

D. Get-NetIPAddress

Explanation:
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar to the nslookup tool which allows users to query for
names. The Resolve-DnsName cmdlet was introduced in Windows Server 2012and Windows 8 and can be used to display DNS queries that include DNSSEC
data.
Parameters include:
-DnssecOk
Sets the DNSSEC OK bit for this query.
-DnssecCd
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.
PS C:\> resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok
Incorrect Answers:
A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookuptool uses an internal DNS client that is not DNSSEC-aware.
References:
https://technet.microsoft.com/library/jj590781.aspx
https://technet.microsoft.com/en-us/library/jj200221.aspx#validation

Prev Question
Next Question

Leave a Reply

Your email address will not be published. Required fields are marked *