You need to verify whether a DNS response from a DNS server is signed by DNSSEC.
What should you run?
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar to the nslookup tool which allows users to query for
names. The Resolve-DnsName cmdlet was introduced in Windows Server 2012and Windows 8 and can be used to display DNS queries that include DNSSEC
Sets the DNSSEC OK bit for this query.
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.
PS C:\> resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok
A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookuptool uses an internal DNS client that is not DNSSEC-aware.