The following describes the interaction between Address Manager and a DNS Server with DNSSEC enabled.
This diagram provides a simplified look at DNSSEC with Address Manager and a DNS Server.
Prior to deployment, the following must be completed using the Address Manager
user interface:
- Create a DNSSEC signing policy.
- Assign the DNSSEC signing policy to a zone(s).
With a DNSSEC signing policy set and configured for zone signing, you can now deploy DNS.
- From the Address Manager user interface, deploy DNS with the DNSSEC signing policy.
- DNS Server signs the zone(s) by creating RRSIGs, NSEC/NSEC3 records, and injecting
DNSKEYs. Note:
- Both Private and Public Keys are stored on DNS Server and Address Manager.
- Dynamic updates on DNS Server are pushed to Address Manager via notifications.
- Key Rollover happens on DNS Server, triggered either by emergency key rollover, manual key rollover, or due to a new DNSSEC signing policy.