Enabling HSM on DNS Servers - BlueCat Integrity - 26.1.0

After adding HSM servers, configuring the Security World, and joining Address Manager to the Security World, the next step is to enable HSM support on managed BlueCat DNS Servers on your network.

1. Select the Servers tab in the sidebar, then select Servers.
2. If adding a new server, select New. If editing an existing server, select the row containing the server, then select Edit in the expanded details section.
3. Under Server, configure the following parameters:
   • Profile—select the model number of your DNS Server from the drop-down menu.
     Note: If you want to use the monitoring service, you must first enable SNMP on each DNS/DHCP Server you intend to monitor. For details, refer to Enabling monitoring services for DNS/DHCP Server.
   • Name—enter the name for the server. This name is used only in the Address Manager user interface and isn't associated with deployed DNS data.
   • Management address—enter the IPv4 or IPv6 address configured on the eth0 interface in the DNS/DHCP Server Administration Console. If Dedicated Management is enabled, enter the IPv4 or IPv6 address configured on the eth2 interface.
     Note: If editing a server, the Management address field is only available after you have first disabled the managed DNS/DHCP Server. If you want to change the IP address of the Management interface (eth2), you must first re-configure the IP address of the Management interface using the DNS/DHCP Server Administration Console, disable the server in Address Manager, then edit the server with the new IP address.
   • Hostname—The host name used for the server on the network. For example, myhost.example.com
   • Connect to server—by default, this checkbox is selected. It allows Address Manager to connect to the server once it's added. Clear this checkbox if you don't want to connect to the server at this time.
     Important: The Connect to server checkbox must be selected in order to select the Detect server settings button which is required to add the server to Address Manager.
   • Upgrade to latest version—by default, this option is deselected. This provides a safe environment to add a DNS/DHCP Server in Address Manager without applying an unintentional software update. Select the checkbox only if you want to apply the latest version of DNS/DHCP Server software once the appliance is under Address Manager control.
     Note: BlueCat recommends upgrading the DNS/DHCP Server software only after first adding the server to Address Manager. Add the server without selecting the Upgrade to latest version checkbox. After the server has been added to Address Manager, upgrade the server software. For details, refer to Upgrading DNS/DHCP Server software.
   • Password—enter the server password. You must enter a password in order to click the Detect Server Settings button. For more information on the default server password, refer to BlueCat default login credentials (you must be authenticated to view this topic).
   • Location—(Optional) select a location from the drop-down menu on which the server object that you are adding or editing will be based. The most often used location objects will be shown at the top of the list followed by all other lists in alphabetical order.
4. On the Interfaces tab, select Detect server settings. Address Manager will check the DNS/DHCP Server software version, interface count, state of Dedicated Management, IP address, and redundancy scenario (4-port appliances only).
   Important: Selecting Detect server settings is mandatory to ensure that Address Manager properly identifies the current DNS/DHCP Server interface configuration.

   The following fields are automatically populated based on the current configuration set through the DNS/DHCP Server Administration Console (the available fields depend on the number of interfaces of your DNS/DHCP Server):
   • Primary IPv4 services address and prefix length—read-only. This is the IPv4 address and netmask that will be used only for services traffic such as DNS, DHCP, DHCPv6 and TFTP (3 and 4-port appliances only).
   • Primary IPv6 services address and and prefix length—read-only. Displays the IPv6 service address and subnet previously configured through the DNS/DHCP Server Administration Console.
   • Enable xHA Backbone—select the checkbox if you want to configure the xHA interface and specify the IPv4 or IPv6 address and netmask/subnet to be used.
     Note: When configuring an IPv6 address for the xHA backbone, the prefix must be set between the accepted CIDR range of 64 to 127.
   • Enable redundancy—select the checkbox to enable networking redundancy (4-port appliances only) or deselect to disable network redundancy. From the Scenario drop-down menu, select either Active/Backup or Active/Active (802.3ad).
     Note: You can't enable network redundancy from the Add Server page if any VLAN interfaces are present on the Service interface (eth0). If necessary, remove any configured VLAN interfaces using the DNS/DHCP Server Administration Console, then add the server to Address Manager and enable network redundancy. Once the server is under Address Manager control you can configure VLAN interfaces from the Address Manager user interface (Servers > Service Configuration > Interfaces).

     If you require VLAN Tagging with port bonding, you must first enable bonding then immediately configure VLAN interfaces.

   • Enable encrypted notifications—encryption of notifications is disabled by default. Select the checkbox to enable encrypted notifications between Address Manager and DNS/DHCP servers.
     Note:

     About Encrypted Notifications: By default, Address Manager to DNS/DHCP Server communication (the command channel) is secured by TLS on top of TCP using port 10042. However, by default dynamic updates to DNS and DHCP lease information are passed from DNS/DHCP Server to Address Manager (the notification channel) using signed updates rather than full channel encryption (primarily UDP over port 10045). By enabling encrypted notifications, DNS/DHCP Server to Address Manager notifications are secured by TLS on top of TCP using port 10046.

     • The Enable encrypted notifications checkbox is available only for BDDS v9.4.0 or greater.
     • This checkbox only appears after detecting server settings.
     • The ability to toggle the notifications channel between encrypted/unencrypted will be removed in a future release of Address Manager; all communications related to notifications between Address Manager and DNS/DHCP Servers will be encrypted by default with no option to disable encryption.
     • Encrypted notification requires certain ports to be opened on the firewall, see Address Manager service ports for more information.
5. OPTIONAL: Under Monitoring Settings, select the following (only available if the DNS/DHCP Server Monitoring Service is enabled):
   • Using default monitoring setting [Enabled]—selected by default. Leave selected to use the DNS/DHCP Server monitoring settings configured for the configuration.
   • Override global monitoring setting—select to set custom monitoring settings for the server, then select Monitor this Server and configure the following SNMP Parameter settings:
     • Version—select the SNMP version for the monitored servers.
     • Port Number—indicates the SNMP port BAM uses to communicate with the monitored servers. The default port is 161. You can't change the port.
     • Community String—type the SNMP Community String used for authentication and click Add. The Community String appears in the list. You can add up to 100 Community Strings to the list. Strings are used in the order presented in the list. To remove a string, select it from the list and click Remove. To change the order of items in the list, select an item in the list and click Move up or Move down.
6. On the Validation options tab, set the following options to override DHCP and DNS services configuration or DNS zones validation settings configured at the configuration level:
   • Override configuration level DHCP validation settings—select the checkbox to set DHCP deployment validation options that are specific to the server. If selected, the Enable DHCP configuration validation checkbox appears.
     • Enable DHCP configuration validation—select the checkbox to check the syntax of the dhcpd.conf file and validate data prior to deployment from Address Manager.
   • Override configuration level DNS validation settings—select the checkbox to set deployment validation options that are specific to the server. If selected, the Enable DNS configuration validation and Enable DNS zone validation checkboxes appear:
     • Enable DNS configuration validation—select the checkbox to check the syntax of the named.conf file and validate data prior to deployment from Address Manager.
     • Enable DNS zones validation—select the checkbox to check the syntax of each DNS zone file and validated data prior to deployment from Address Manager. This is equivalent to setting the -i switch for the named-checkzone tool. If selected, the DNS zones deployment validation settings are displayed. If Enable DNS zone validation is selected, configure the following DNS zones validation settings:
       • Post-load zone integrity validation—performs syntax checks based on the mode you select for this option. Select one of the following modes:
         • Full—checks for the following conditions:
           • If MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
           • If SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
           • If Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
           • If glue address records in the zone match those specified by the child.
         • Local—checks for the following conditions:
           • If MX records refer to A or AAAA records, for in-zone hostnames.
           • If SRV records refer to A or AAAA records, for in-zone hostnames.
           • If Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
           • If glue address records in the zone match those specified by the child.
         • Full-sibling—performs the same checks as in Full mode but doesn't check the glue records.
         • Local-sibling—performs the same checks as in Local mode but doesn't check the glue records.
         • None—disables all post-load zone integrity checks.
       • Check names—Checks names. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if MX records are IP addresses—checks if MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if MX records point to CNAME records—checks if MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if NS records are IP addresses—checks if NS record point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check if SRV records point to CNAME records—checks is SRV record point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
       • Check for non-terminal wildcards—checks for wildcards in zone names that don't appear as the last segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool. Select Ignore or Warn to determine how Address Manager handles conditions found by this check.
       For the preceding options, Ignore, Warn, or Fail have the following effects:
       • Ignore—Ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
       • Warn—Logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
       • Fail—Logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
7. If Enable DNS zone validation is selected, configure the following DNS zones validation settings:
   • Post-load zone integrity validation—performs syntax checks based on the mode you select for this option. Select one of the following modes:
     • Full—checks for the following conditions:
       • If MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
       • If SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
       • If Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
       • If glue address records in the zone match those specified by the child.
     • Local—checks for the following conditions:
       • If MX records refer to A or AAAA records, for in-zone hostnames.
       • If SRV records refer to A or AAAA records, for in-zone hostnames.
       • If Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
       • If glue address records in the zone match those specified by the child.
     • Full-sibling—performs the same checks as in Full mode but doesn't check the glue records.
     • Local-sibling—performs the same checks as in Local mode but doesn't check the glue records.
   • None—disables all post-load zone integrity checks.
   • Check names—Checks names. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if MX records are IP addresses—checks if MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if MX records point to CNAME records—checks if MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if NS records are IP addresses—checks if NS record point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check if SRV records point to CNAME records—checks is SRV record point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
   • Check for non-terminal wildcards—checks for wildcards in zone names that don't appear as the last segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool. Select Ignore or Warn to determine how Address Manager handles conditions found by this check.

   For the preceding options, Ignore, Warn, or Fail have the following effects:

   • Ignore—Ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
   • Warn—Logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
   • Fail—Logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
8. On the Kerberos service principal tab, set the DNS and DHCP service principals:
   • Enable DNS service principal—select this checkbox to specify the security credential for the DNS service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this checkbox, the DNS Service Principal drop-down menu appears. Select a Kerberos service principal from the drop-down menu.
   • Enable DHCP service principal—select this checkbox to specify the security credential for the DHCP service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this checkbox, the DHCP Service Principal drop-down menu appears. Select a Kerberos service principal from the drop-down menu.
9. On the HSM support tab, complete the following:
   • Enable HSM Support—Select the checkbox. The HSM servers drop-down menu is displayed. Select an HSM server from the drop-down menu and select the add icon (+). Repeat this step to add multiple HSM servers.
   • The HSM server at the top of the order will be the Primary; HSM servers below the Primary will be the Secondary, Tertiary. Select the remove icon (x) to remove an HSM server from the list.
10. In the Change control section, add comments if required.
11. Select Create or Create and add another.