Home » Microsoft » 70-412 » What should you run?
You need to verify whether a DNS response from a DNS server is signed by DNSSEC. What should you run?
A. nslookup.exe
B. dnscmd.exe
C. Resolve-DNSName
D. Get-NetIPAddress
Correct Answer: C
Explanation/Reference:
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar to the nslookup tool which allows users to query for names. The Resolve- DnsName cmdlet was introduced in Windows Server 2012 and Windows 8 and can be used to display DNS queries that include DNSSEC data.
Parameters include:
* -DnssecOk
Sets the DNSSEC OK bit for this query.
* -DnssecCd
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.
PS C:> resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok
Incorrect:
Not A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookup tool uses an internal DNS client that is not DNSSEC-aware.
Reference: Resolve-DnsName
https://technet.microsoft.com/library/jj590781.aspx
Reference: Overview of DNSSEC
https://technet.microsoft.com/en-us/library/jj200221.aspx#validation