Knowledge

DNS_ERROR_NOT_ALLOWED_ON_ZSK - 9118 (0x239E)

This operation is not allowed on a zone signing key (ZSK).

Updated: Feb 21, 2026

Technical Meaning

The error code DNS_ERROR_NOT_ALLOWED_ON_ZSK with the numeric value 9118 and hexadecimal representation 0x239E indicates that a specific operation is not permitted on a zone signing key (ZSK) in the Windows DNS service.

Error Details

This error typically occurs when an attempt is made to perform an action that is restricted for ZSKs. Zone signing keys are used in DNSSEC (Domain Name System Security Extensions) to sign DNS resource records, ensuring their integrity and authenticity. The operation in question may involve modifying or querying the properties of a ZSK.

Usage Context

This error code is relevant within the context of managing DNSSEC zones and their associated keys. It is likely encountered during administrative tasks such as key management, zone signing operations, or when configuring DNSSEC settings for a domain.

Developer Interpretation

Developers should interpret this error code to mean that the operation being attempted on a ZSK is not supported by the system. This could include actions like deleting, modifying, or querying certain properties of the ZSK. The error suggests that such operations are restricted due to security and operational considerations.

Related Errors

  • DNS_ERROR_NO_SUCH_PROPERTY (9103): Indicates an attempt to access a property that does not exist on the object.
  • DNS_ERROR_NOT_ALLOWED_ON_RKSO (9126): Similar error for resource key signing operations.

FAQ

Q: What actions are restricted by this error?

A: The specific actions are not detailed in the error code itself, but they likely include any modifications or queries that would alter the state of a ZSK. These actions may be restricted to prevent unauthorized changes to DNSSEC configurations.

Q: Can this error occur during normal operations?

A: No, this error is typically encountered only when attempting to perform unsupported operations on a ZSK. Normal operations such as querying or signing records should not trigger this error.

Summary

The DNS_ERROR_NOT_ALLOWED_ON_ZSK error code indicates that an operation attempted on a zone signing key (ZSK) is not supported by the system, likely due to security and operational constraints. Developers should handle this error by ensuring that only valid operations are performed on ZSKs and by consulting documentation for specific allowed actions.