Assigning the DNSSEC-HSM signing policy - BlueCat Address Manager - 8.3.0

Address Manager Administration Guide

prodname
BlueCat Address Manager
version_custom
8.3.0

Having already created an DNSSEC-HSM signing policy, you can now apply the policy to a DNS zone.

If you have not yet created a zone or DNS view in Address Manager, refer to the DNS section.
Important: Currently, a limitation exists whereby a space in the name of a DNS view may affect deployments with DNSSEC zone signing. If you are adding a DNS view that will be linked to a DNSSEC-HSM signing policy, the name of the view cannot contain spaces. For more information, refer to Knowledge Base article 14957 on BlueCat Customer Care.

To assign an DNSSEC-HSM signing policy to a DNS zone:

  1. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  2. Under DNS Views, click the name of a DNS view. The Top Level Domains section opens.
  3. Under Top Level Domains, click the name of a top level domain. The Sub Zones section opens.
  4. Click the DNSSEC tab. The Zone Signing, Zone Signing Keys, and Key Signing Keys sections appear.
  5. Under Zone Signing, click Configure Zone Signing. The Configure Zone Signing page opens.
  6. Under General Options, select the Signed check box.
  7. From the Signing Policy drop-down list, select a DNSSEC-HSM signing policy.
  8. Click Update. Address Manager applies the DNSSEC signing policy and the zone signing and key information appears on the DNSSEC tab.
    Note: If Address Manager cannot connect to any HSM servers, you will receive the following error:

    THALES_API_ERROR

    Make sure Address Manager is connected to all HSM servers prior to assigning the DNSSEC-HSM signing policy.

When you sign a DNS zone, Address Manager automatically enables the DNSSEC Key Auto Generate option for the configuration. This means that all keys will automatically roll over according to the key parameters set in the signing policy. For more information on the DNSSEC Key Auto Generate option and emergency key rollover, refer to Managing DNSSEC keys.