Editing HSM-enabled DNS Servers - BlueCat Integrity - 26.1.0

Edit the name, deployment options, and HSM settings of managed DNS/DHCP Server appliances and VMs.

1. Select the Servers tab in the sidebar, then select Servers.
2. Select the row containing the HSM-enabled DNS Server in the Servers table, then select Edit in the expanded details section.
3. Under Server, you can edit the following:
   • Profile—select the model number of your DNS Server from the drop-down menu.
     Note: If you want to use the monitoring service, you must first enable SNMP on each DNS/DHCP Server you intend to monitor. For details, refer to Enabling monitoring services for DNS/DHCP Server.
   • Name—enter the name for the server. This name is used only in the Address Manager user interface and isn't associated with deployed DNS data.
   • Management address—enter the IPv4 or IPv6 address configured on the eth0 interface in the DNS/DHCP Server Administration Console. If Dedicated Management is enabled, enter the IPv4 or IPv6 address configured on the eth2 interface.
     Note: If editing a server, the Management address field is only available after you have first disabled the managed DNS/DHCP Server. If you want to change the IP address of the Management interface (eth2), you must first re-configure the IP address of the Management interface using the DNS/DHCP Server Administration Console, disable the server in Address Manager, then edit the server with the new IP address.
   • Hostname—The host name used for the server on the network. For example, myhost.example.com
   • Location—(Optional) select a location from the drop-down menu on which the server object that you are adding or editing will be based. The most often used location objects will be shown at the top of the list followed by all other lists in alphabetical order.
4. On the Validation options tab, set the following options to override DHCP and DNS services configuration or DNS zones validation settings configured at the configuration level:
   • Override configuration level DHCP validation settings—select the checkbox to set DHCP deployment validation options that are specific to the server. If selected, the Enable DHCP configuration validation checkbox appears.
     • Enable DHCP configuration validation—select the checkbox to check the syntax of the dhcpd.conf file and validate data prior to deployment from Address Manager.
   • Override configuration level DNS validation settings—select the checkbox to set deployment validation options that are specific to the server. If selected, the Enable DNS configuration validation and Enable DNS zone validation checkboxes appear:
     • Enable DNS configuration validation—select the checkbox to check the syntax of the named.conf file and validate data prior to deployment from Address Manager.
     • Enable DNS zones validation—select the checkbox to check the syntax of each DNS zone file and validated data prior to deployment from Address Manager. This is equivalent to setting the -i switch for the named-checkzone tool. If selected, the DNS zones deployment validation settings are displayed. If Enable DNS zone validation is selected, configure the following DNS zones validation settings:
       • Post-load zone integrity validation—performs syntax checks based on the mode you select for this option. Select one of the following modes:
         • Full—checks for the following conditions:
           • If MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
           • If SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
           • If Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
           • If glue address records in the zone match those specified by the child.
         • Local—checks for the following conditions:
           • If MX records refer to A or AAAA records, for in-zone hostnames.
           • If SRV records refer to A or AAAA records, for in-zone hostnames.
           • If Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
           • If glue address records in the zone match those specified by the child.
         • Full-sibling—performs the same checks as in Full mode but doesn't check the glue records.
         • Local-sibling—performs the same checks as in Local mode but doesn't check the glue records.
         • None—disables all post-load zone integrity checks.
       • Check names—Checks names. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if MX records are IP addresses—checks if MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if MX records point to CNAME records—checks if MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if NS records are IP addresses—checks if NS record point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if SRV records point to CNAME records—checks is SRV record point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check for non-terminal wildcards—checks for wildcards in zone names that don't appear as the last segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool. Select Ignore or Warn to determine how Address Manager handles conditions found by this check.
       For the preceding options, Ignore, Warn, or Fail have the following effects:
       • Ignore—Ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
       • Warn—Logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
       • Fail—Logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
5. If Enable DNS zone validation is selected, configure the following DNS zones validation settings:
   • Post-load zone integrity validation—performs syntax checks based on the mode you select for this option. Select one of the following modes:
     • Full—checks for the following conditions:
       • If MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
       • If SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
       • If Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
       • If glue address records in the zone match those specified by the child.
     • Local—checks for the following conditions:
       • If MX records refer to A or AAAA records, for in-zone hostnames.
       • If SRV records refer to A or AAAA records, for in-zone hostnames.
       • If Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
       • If glue address records in the zone match those specified by the child.
     • Full-sibling—performs the same checks as in Full mode but doesn't check the glue records.
     • Local-sibling—performs the same checks as in Local mode but doesn't check the glue records.
   • None—disables all post-load zone integrity checks.
   • Check names—Checks names. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if MX records are IP addresses—checks if MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if MX records point to CNAME records—checks if MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if NS records are IP addresses—checks if NS record point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if SRV records point to CNAME records—checks is SRV record point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check for non-terminal wildcards—checks for wildcards in zone names that don't appear as the last segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool. Select Ignore or Warn to determine how Address Manager handles conditions found by this check.

   For the preceding options, Ignore, Warn, or Fail have the following effects:

   • Ignore—Ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
   • Warn—Logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
   • Fail—Logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
6. On the Kerberos service principal tab, set the DNS and DHCP service principals:
   • Enable DNS service principal—select this checkbox to specify the security credential for the DNS service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this checkbox, the DNS Service Principal drop-down menu appears. Select a Kerberos service principal from the drop-down menu.
   • Enable DHCP service principal—select this checkbox to specify the security credential for the DHCP service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this checkbox, the DHCP Service Principal drop-down menu appears. Select a Kerberos service principal from the drop-down menu.
7. Under HSM support, the Enable HSM Support checkbox is selected for HSM-enabled DNS servers.
   To disable HSM support for the DNS server, clear the checkbox.
   To add one or more HSM servers, select an HSM server from the drop-down menu and select the add icon (+). Repeat this step to add multiple HSM servers.
   To remove one or more HSM servers, select the remove icon (x) for the servers.
   To re-order the hierarchy of the HSM servers in the list, drag and drop the server to move it up or down in the list. The HSM server at the top of the order will be the Primary; HSM servers below the Primary will be the Secondary, Tertiary. Select the remove icon (x) to remove an HSM server from the list.
8. In the Change control section, add comments if required.
9. Select Save.