- Home
- Server Administration
- Windows
- Networking with Windows server 2016 (70-741)
36.
You want to plan your ZSK/KSK rollover process. Select the preferred rollover method for each kind of key. (Choose two.)
- A.ZSK: Prepublishing
- B.ZSK: Double signing
- C.KSK: Prepublishing
- D.KSK: Double signing
- Answer & Explanation
- Report
Answer : [A, D]
Explanation :
Explanation :
| You use the prepublishing rollover method for the ZSK that makes the new DNSKEY record available before signing. You propagate the key to all client caches, remove the old signatures, and create new ones with the new key. This does not double the size of your zone. It replaces signatures as they expire. You can roll over each zone and ZSK separately. You use the double signing method for KSK because you simultaneously sign the zone with both (old and new) keys. Both signatures are held in the zone until the old public key expires. When the time passes, the old key is removed. This reduces risk and is preferred for the KSK rollover. |
37.
You have configured both Enable DNSSEC in This Rule and Require DNS Clients to Check That Name and Address Data Has Been Validated by the DNS Server in the Default Domain Policy of your domain pearson.com. Your DNSSEC-configured DNS is named DNS1. In the Default Domain Policy, you add a rule for sec.pearson.com with DNSSEC (Validation) = “Yes” and DNSSEC (IPsec) = “No”. You want to ensure that the value for DNSSECValidationRequired is True on client1 (Windows 10). Which PowerShell command can you use? (Choose two.)
- A.Gpupdate /force
- B.Resolve-dnsname dc1.sec.pearson.com -server dns1 -DNSSECok
- C.Get-dnsclientnrptpolicy
- D.Resolve-dnsname -name sec.pearson.com -type dnskey -server dns1 -DNSSECok
- Answer & Explanation
- Report
Answer : [A, C]
Explanation :
Explanation :
On client1, you must update the GPO settings from the Default Domain Policy, which delivers the NRPT settings and makes client1 a DNSSEC-enabled client. After that, you can verify the DNSSECValidationRequired value with the Get-DnsClientNrptPolicy PowerShell cmdlet. You get the following output:
Namespace : .sec.pearson.com
QueryPolicy :
SecureNameQueryFallback :
DirectAccessIPSecCARestriction :
DirectAccess ProxyName :
DirectAccessDnsServers :
DirectAccessEnabled :
DirectAccessProxyType : NoProxy
DirectAccessQueryIPSecEncryption :
DirectAccessQueryIPSecRequired : False
NameServers :
DNSSECIPSecCARestriction :
DNSSECQueryIPSecEncryption :
DnSecQueryIPSecRequired : False
DNSSECValidationRequired : True
NameEncoding : Utf&WithoutMapping |
38.
Your environment consists of one parent domain named pearson.com and two child domains named usa.pearson.com and eu.pearson.com. You must plan the DNSSEC chain of trust, including delegations. Which statement is correct?
- A.One DS trust anchor is installed for the child zone.
- B.One DS trust anchor is installed for the parent zone.
- C.One trust anchor is installed for every zone that a caching DNS server can validate.
- D.Two trust anchors are installed for the parent zone.
- Answer & Explanation
- Report
Answer : [B]
Explanation :
Explanation :
| Only one DS trust anchor has to be installed for the parent zone. Delegations establish a chain of authentication for child zones. If all zones in the chain are signed with DNSSEC, resolving DNS servers can have a single DS trust anchor installed, provided that appropriate DS records are available in the parent zone. This way, it is not necessary to install a trust anchor for every zone that a caching DNS server can validate. Build a chain of trust where it is sufficient for the DNS server to have only one DS trust anchor installed for the parent zone. |
39.
You have one domain named pearson.com and a child domain named eu.pearson.com. You want to start with your DNSSEC chain of trust configuration. On your root Windows Server 2016 DNS server, you see in Trust Points and the root folder that no DS record exists. Which configuration can you use to install a root trust anchor using the RSA/SHA256 algorithm as the starting point of your chain of trust? (Choose two.)
- A.Import-DnsServerTrustAnchor
- B.Dnscmd /retrieveroottrustanchors
- C.Add-DnsServerTrustAnchor -Root
- D.Add-DnsServerTrustAnchor -KeyProtocol DNSSEC -CryptoAlgorithm RsaSha256
- Answer & Explanation
- Report
Answer : [B, C]
Explanation :
Explanation :
| With dnscmd /retrieveroottrustanchor, you can install the root trust anchor. With the PowerShell command Add-DnsServerTrustAnchor -Root, you also can do so. With the PowerShell command Import-DnsServerTrustAnchor, you can import a trust anchor through the specified DS set file but not the root trust anchor. With Add-DnsServerTrustAnchor -KeyProtocol DNSSEC - CryptoAlgorithm RsaSha256, you can install trust anchors but not the root trust anchor; you also have to know the Base64Data value, which is the key data. |
40.
You want to produce a statement if you try to find a record that does not appear on your Windows Server 2016 DNS server. You also want to use hashing security for existing hosts. Which kinds of resource records do you need? (Choose two.)
- A.DNSKEY
- B.RRSIG
- C.NSEC
- D.NSEC3
- E.NSEC3PARAM
- Answer & Explanation
- Report
Answer : [D, E]
Explanation :
Explanation :
| NSEC3 records hash the names of existing hosts. A zone that uses NSEC3 also has a NSEC3PARAM record. This is necessary for the proper functioning of NSEC3. |
|
|
||||||||||||||||||||||||||||
