Assigning the DNSSEC-HSM signing policy - BlueCat Integrity - 26.1.0

Address Manager Administration Guide
ft:locale
en-US
Product name
BlueCat Integrity
Version
26.1.0

Having already created a DNSSEC-HSM signing policy, you can now apply the policy to a DNS zone.

If you haven't yet created a zone or DNS view in Address Manager, refer to the DNS section.
Important: Currently, a limitation exists whereby a space in the name of a DNS view may affect deployments with DNSSEC zone signing. If you are adding a DNS view that will be linked to a DNSSEC-HSM signing policy, the name of the view can't contain spaces. For more information, refer to Knowledge Base article 14957 on BlueCat Customer Care.

To assign an DNSSEC-HSM signing policy to a DNS zone:

  1. Select the DNS tab in the sidebar, then select Views.
  2. Select the name of a view in the Views table or DNS tree.
  3. Select the name of the zone or subzone for which you want to assign the DNSSEC-HSM signing policy.
  4. Select the DNSSEC tab.
  5. Select Configure zone signing.
  6. Set the following parameters:
    • Signed—select the checkbox.
    • Signing policy—select a DNSSEC-HSM signing policy from the drop-down menu.
  7. In the Change control section, add comments if required.
  8. Select Save.
    Address Manager applies the DNSSEC-HSM signing policy and the zone signing and key signing key information appears in the DNSSEC tab.
    Note: If Address Manager can't connect to any HSM servers, you will receive the following error:

    An error occurred while calling the HSM provider API.

    Make sure Address Manager is connected to all HSM servers prior to assigning the DNSSEC-HSM signing policy.

When you sign a DNS zone, Address Manager automatically enables the DNSSEC Key Auto Generate option for the configuration. This means that all keys will automatically roll over according to the key parameters set in the signing policy. For more information on the DNSSEC Key Auto Generate option and emergency key rollover, refer to Managing DNSSEC keys.