DNSSEC with Address Manager and DNS/DHCP Server - BlueCat Integrity - 9.4.0

Address Manager Administration Guide

Product name
BlueCat Integrity

The following describes the interaction between Address Manager and a DNS Server with DNSSEC enabled.

This diagram provides a simplified look at DNSSEC with Address Manager and a DNS Server.

Prior to deployment, the following must be completed using the Address Manager user interface:
  • Create a DNSSEC signing policy.
  • Assign the DNSSEC signing policy to a zone(s).
With a DNSSEC signing policy set and configured for zone signing, you can now deploy DNS.
  1. From the Address Manager user interface, deploy DNS with the DNSSEC signing policy.
  2. DNS Server signs the zone(s) by creating RRSIGs, NSEC/NSEC3 records, and injecting DNSKEYs.
    • Both Private and Public Keys are stored on DNS Server and Address Manager.
    • Dynamic updates on DNS Server are pushed to Address Manager via notifications.
    • Key Rollover happens on DNS Server, triggered either by emergency key rollover, manual key rollover, or due to a new DNSSEC signing policy.