Creating a chain of trust for delegated third-party zones - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.4.0

How to create a chain of trust for delegated third-party zones.

When setting up DNS zone delegation for parent and child zones that are managed through Address Manager, Address Manager automatically creates all necessary resource records for the zones. However, Address Manager doesn't automatically create DNSSEC resource records for delegated zones that are on third-party servers that are outside of your control. In this case, either send the KSK public key to the administrator of the parent zone or you can manually create a DS record for the delegated child zone. You create the DS record by specifying the child zone name and key data.

For example: you manage the parent zone example.com and deploy it to the managed server ns1.example.com. You also want to set up delegation for the zone child.example.com on the third-party server ns10.example.com. The server ns10.example.com is outside of your control and is not managed by Address Manager.

In this example, you configure DNS zone delegation as you would for any zone that's outside of your control. For information on configuring zone delegation for this example, refer to DNS zone delegation.

To configure the trust anchor for the child zone, you need to add a DS record to the parent zone.

To add a DS record to a zone:

  1. Select the DNS tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  2. From the DNS tab, navigate to the DNS zone to which you want to add a DS record.
  3. Click the Resource Records tab.
  4. Under Resource Records section, click New and select Generic.
  5. Under General, set the following parameters:
    • Name—select the button beside the text field and enter the name of the child zone in the field. As you type the zone name, Address Manager updates the page name to show the fully-qualified domain name of the child zone.
    • Type—select DS from the drop-down menu.
    • Data—enter the zone’s KSK data. The key data must be in the trust anchor format.
  6. Under Additional Information, enter a optional description for the record in the Comments field. The comments are only for reference within Address Manager, and aren't deployed to your managed server.
  7. Under Change Control, add comments, if required.
  8. Click OK.