Configuring DNSSEC Trust Anchors - BlueCat Address Manager

DNSSEC Trust Anchors provide the public keys for trusted zones. Use this option to create a DNSSEC trusted anchor. This option is set at the server level.

When you set this option, you specify a list of fully-qualified domain names and their Key Signing Keys (KSKs). Additionally, you will need the KSKs for the trusted zones from the zone administrators.

Note: DNSSEC Trust Anchors will not be imported from, and cannot be deployed to Windows Server 2008, and Windows Server 2012 non-R2 servers. Address Manager does not prevent configuration of DNSSEC options for unsupported versions of Windows, since Address Manager is not aware of the version of a Managed Windows Server. Manually adding and attempting to deploy DNSSEC options to an unsupported version of Windows will result in a deployment error.

To set the DNSSEC Trust Anchors option:

Navigate to the appropriate level in Address Manager (configuration, Windows server, or view).
Click the Deployment Options tab.
Click New, and then select DNS Option.
From the Option drop-down menu, select DNSSEC Trust Anchors.
In the FQDN field, enter a name of a Trust Anchor. In the Key field enter the valid DNSSEC key. For example:
- 257 3 5 Base64Key
- where:
- 257 is the flag defined type of Key Signing Key (KSK).
- 3 is the protocol field.
- 4 is the algorithm field.
Click Add to add the option and return to the Deployment Options tab.

Configuring DNSSEC Trust Anchors - BlueCat Address Manager - 9.0.0

Address Manager Administration Guide