Configuring DNSSEC Trust Anchors - BlueCat Address Manager - 8.2.0

Address Manager Administration Guide

BlueCat Address Manager

DNSSEC Trust Anchors provide the public keys for trusted zones. Use this option to create a DNSSEC trusted anchor. This option is set at the server level.

When you set this option, you specify a list of fully-qualified domain names and their Key Signing Keys (KSKs). Additionally, you will need the KSKs for the trusted zones from the zone administrators.

Note: DNSSEC Trust Anchors will not be imported from, and cannot be deployed to Windows Server 2008, and Windows Server 2012 non-R2 servers. Address Manager does not prevent configuration of DNSSEC options for unsupported versions of Windows, since Address Manager is not aware of the version of a Managed Windows Server. Manually adding and attempting to deploy DNSSEC options to an unsupported version of Windows will result in a deployment error.

To set the DNSSEC Trust Anchors option:

  1. Navigate to the appropriate level in Address Manager (configuration, Windows server, or view).
  2. Click the Deployment Options tab.
  3. Click New, and then select DNS Option.
  4. From the Option drop-down menu, select DNSSEC Trust Anchors.
  5. In the FQDN field, enter a name of a Trust Anchor. In the Key field enter the valid DNSSEC key. For example:
    • 257 3 5 Base64Key
    • where:
    • 257 is the flag defined type of Key Signing Key (KSK).
    • 3 is the protocol field.
    • 4 is the algorithm field.
  6. Click Add to add the option and return to the Deployment Options tab.