DNSSEC with HSM - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Product name
BlueCat Integrity

DNSSEC-HSM adds a greater level of security by generating, signing, and storing encrypted keys on the third-party HSM server instead of BlueCat servers. HSM appliances are manufactured to meet strict security standards and use enclosures that contain tamper detection and tamper protection.

When a zone is signed in the Address Manager user interface, Address Manager sends a request to the HSM server to generate keys. The HSM server generates keys and stores them internally. It then communicates back to Address Manager the result of the operation (success), and sends the Key Blob, which is a pointer to the private key in the HSM database, including the public part of newly generated key that's published at the signed zone as a DNSKEY (KSK or ZSK depending on original request from Address Manager).

The public part of the key is stored in the Address Manager database as long as key is active and sent to the DNS/DHCP Servers each time as part of a full DNS deployment. Along with the DNSKEY, each full DNS deployment sends the Key Blob that's used by DNS service to call HSM to perform all necessary operations with that key (initial zone signing, signature regeneration, adding records, rebuilding NSEC/NSEC3 chains).

The following diagram provides a simplified look at the DNSSEC zone signing process with HSM:

  1. Address Manager joins the HSM Security World and synchronizes with the RFS/Security World files.

    You can choose to configure the Security World either using an RFS or via upload of Security World files to Address Manager. Joining Address Manager to the HSM Security World only happens upon initial HSM configuration set-up. The RFS synchronization is configured for “No Authentication,” which is the preferred state for DNSSEC and HSM failover.

  2. Address Manager requests the HSM server to generate keys.
  3. The HSM server sends the keys (ZSK or KSK depending on the request from Address Manager) and encrypted key data (Key Blob) to Address Manager for deployment. The public key is stored and backed-up on the Address Manager database. The private key remains stored on the HSM server.
  4. The DNS Server joins the HSM Security World and extracts the Security World files. Joining managed DNS Servers to the HSM Security World happens upon enabling HSM support on the DNS Servers.
  5. Address Manager deploys primary zone data and the Key Blob to the managed DNS Server or servers.
  6. The DNS Server sends zone data and the Key Blob to the HSM server for zone signing.
  7. The HSM server performs the zone signing and returns the signed record to the DNS Server.
  8. The DNS Server sends the deployment status to Address Manager.