You need to verify whether a DNS response from a DNS server is signed by DNSSEC.
What should you run?
A.
nslookup.exe
B.
dnscmd.exe
C.
Resolve-DNSName
D.
Get-NetIPAddress
Explanation:
The Resolve-DnsName cmdlet performs a DNS query for the specified name. This cmdlet is functionally similar
to the nslookup tool which allows users to query for names. The Resolve- DnsName cmdlet was introduced in
Windows Server 2012 and Windows 8 and can be used to display DNS queries that include DNSSEC data.
Parameters include:
* -DnssecOk
Sets the DNSSEC OK bit for this query.
* -DnssecCd
Sets the DNSSEC checking-disabled bit for this query
Example: In the following example, the DO=1 flag is set by adding the dnssecok parameter.
PS C:\\> resolve-dnsname -name finance.secure.contoso.com -type A -server dns1.contoso.com -dnssecok
Incorrect:
Not A: Do not use the nslookup command-line tool to test DNSSEC support for a zone. The nslookup tool uses
an internal DNS client that is not DNSSEC-aware.
Resolve-DnsName
https://technet.microsoft.com/library/jj590781.aspx
Overview of DNSSEC
https://technet.microsoft.com/en-us/library/jj200221.aspx#validation