If your zone requires reverse zone signing, apply the DNSSEC policy to the IPv4 block
or IPv4 network at which you assigned the DNS deployment role. You can first create a unique
signing policy for the reverse space of necessary.
When you sign a DNS zone or DNS reverse zone, Address Manager
automatically enables the DNSSEC Key Auto Generate option for the configuration.
This means that all keys will automatically roll over according to the key
parameters set in the signing policy. For more information on the DNSSEC Key Auto
Generate option, refer to Managing DNSSEC key rollover and generation.
To apply a DNSSEC signing policy to a reverse zone:
-
Select the IPAM tab in the sidebar, then select
IPv4 blocks.
-
If you want to sign an IPv4 block, select a block from the IPv4
blocks table or DNS tree. If you want to sign an IPv4 network,
navigate to the IPv4 network by selecting the parent block that contains the
IPv4 network.
-
Select the DNSSEC tab.
-
Select Configure signing policy.
-
Set the following parameters:
- Reverse zone signed—select the checkbox.
- Reverse zone signing policy—select a DNSSEC signing policy from
the drop-down menu.
-
In the Change control
section, add comments if required.
-
Select Save.
-
Configure DNSSEC deployment options if needed prior to deploying DNS
service. For details, refer to Configuring a DNSSEC validating server.
-
Deploy DNS service with your DNSSEC signing policy.