Address Manager supports DNSSEC with the following functions:
- DNSSEC Signing Policies: define a signing policy that contain the
parameters for creating and managing Zone Signing Keys (ZSKs) and Key
Signing Keys (KSKs). Signing a forward or reverse zone is then a simple
matter of linking the signing policy to the zone.Attention: Currently, a limitation exists whereby a space in the name of a DNS view may affect deployments with DNSSEC zone signing. If you are adding a DNS view that will be linked to a DNSSEC signing policy, the name of the view cannot contain spaces. For more information, refer to article 14957 on BlueCat Customer Care.
- DNSSEC Key Generation and Rollover Functions: Address Manager manages ZSK and KSK generation and rollover automatically, but you can also manually override these functions. Use Key Generation when you want to manually update keys, and use Emergency Key Rollover when you need to replace a key that has been compromised. For more information, refer to Managing DNSSEC key rollover and generation.
- DNSSEC Deployment Options: you can enable DNSSEC and configure DNSSEC validation on managed DNS servers using DNSSEC deployment options. Three deployment options are available to enable DNSSEC, to enable DNSSEC validation, and to create DNSSEC trust anchors. For more information, refer to Configuring a DNSSEC validating server.
- DNSSEC Signing Summary report: you can generate a report that lists all
signed and unsigned zones in a configuration. For more information, refer to
Report Types.Note: DNSSEC uses EDNS (Extension Mechanisms for DNS). To use DNSSEC, you must ensure that your network firewalls allow UDP packets larger than 512 bytes.