Assigning the DNSSEC-HSM signing policy - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

Having already created an DNSSEC-HSM signing policy, you can now apply the policy to a DNS zone.

If you haven't yet created a zone or DNS view in Address Manager, refer to the DNS section.
Important: Currently, a limitation exists whereby a space in the name of a DNS view may affect deployments with DNSSEC zone signing. If you are adding a DNS view that will be linked to a DNSSEC-HSM signing policy, the name of the view can't contain spaces. For more information, refer to Knowledge Base article 14957 on BlueCat Customer Care.

To assign an DNSSEC-HSM signing policy to a DNS zone:

  1. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  2. Under DNS Views, click the name of a DNS view. The Top Level Domains section opens.
  3. Under Top Level Domains, click the name of a top level domain. The Sub Zones section opens.
  4. Click the DNSSEC tab. The Zone Signing, Zone Signing Keys, and Key Signing Keys sections appear.
  5. Under Zone Signing, click Configure Zone Signing.
  6. Under General Options, select the Signed check box.
  7. From the Signing Policy drop-down list, select a DNSSEC-HSM signing policy.
  8. Click Update. Address Manager applies the DNSSEC signing policy and the zone signing and key information appears on the DNSSEC tab.
    Note: If Address Manager can't connect to any HSM servers, you will receive the following error:

    An error occurred while calling the HSM provider API.

    Make sure Address Manager is connected to all HSM servers prior to assigning the DNSSEC-HSM signing policy.

When you sign a DNS zone, Address Manager automatically enables the DNSSEC Key Auto Generate option for the configuration. This means that all keys will automatically roll over according to the key parameters set in the signing policy. For more information on the DNSSEC Key Auto Generate option and emergency key rollover, refer to Managing DNSSEC keys.