Enabling HSM on DNS Servers - BlueCat Integrity - 9.3.0

Address Manager Administration Guide

Locale
English
Product name
BlueCat Integrity
Version
9.3.0

After adding HSM servers, configuring the Security World, and joining Address Manager to the Security World, the next step is to enable HSM support on managed BlueCat DNS Servers on your network.

The following procedure describes how to add a new/clean BlueCat DNS Server to Address Manager. If you already have a managed DNS Server or servers that you want to use for DNSSEC-HSM, you should remove the DNS Server from Address Manager control, enable HSM Support from the Edit Server page, then return the DNS Server to Address Manager control.
  • Enabling HSM on your managed BlueCat DNS Servers allows the DNS Servers to join the HSM Security World. DNS deployment will fail if the DNS Servers aren't part of the Security World.
  • Once you have enabled HSM on your managed DNS Servers and they have joined the HSM Security World, connectivity between the managed DNS Servers and at least one HSM Server is required at all times. That is, connectivity between a managed DNS Server and the HSM Server is necessary during all normal operations of the DNS Server and not only with DNSSEC-HSM zone signing. This is to ensure correct operation of DNS service.
  • HSM will NOT function if Dedicated Management is enabled. Disable Dedicated Management from the DNS/DHCP Server Administration Console prior to configuring the server in Address Manager.
  • You can configure HSM with xHA but with certain limitations. For details, refer to OPTIONAL: HSM with xHA.
  • If using a Remote File System to join Address Manager and managed DNS Servers to the Security World, the RFS is configured for No Authentication, which is the preferred state for DNSSEC and HSM failover. RFS-synchronization with Authentication would set authentication to a single HSM server, which could prevent other clients from joining the Security World.
A managed BlueCat DNS Server can perform zone signing using either DNSSEC-HSM or standard DNSSEC—not both. Once a BlueCat DNS Server has been configured for HSM zone signing, it can't be used for standard DNSSEC zone signing. If a DNS Server configured for HSM must be repurposed for standard DNSSEC, it must be re-imaged.
Note: DO NOT add multiple HSM-enabled DNS/DHCP Servers at the same time

BlueCat advises customers not to attempt to take more than one DNS/DHCP Server under Address Manager control at the same time while enabling HSM. For example, from multiple browser tabs or windows, or from multiple admin users working in parallel (not necessarily from the same workstation). Doing so can result in misconfiguration of the DNS/DHCP Server.

To enable HSM on DNS Servers:

  1. Select the Servers tab. Tabs remember the page you last worked on, so select the tab again to ensure you're on the Configuration information page.
  2. Under Servers, click New.
    If editing a server, click the server name. From the Details page, click the server name menu then select Edit.
  3. Under Server, complete the following:
    • Profile—select the model number of your DNS Server from the drop-down menu.
      Note: If you want to use the monitoring service, you must first enable SNMP on each DNS/DHCP Server you intend to monitor. For details, refer to Enabling monitoring services for DNS/DHCP Server.
    • Name—enter the name for the server. This name is used only in the Address Manager user interface and isn't associated with deployed DNS data.
    • Management Interface—enter the IPv4 address configured on the eth0 interface in the BDDS Administration Console. If Dedicated Management is enabled, enter the IPv4 address configured on the eth2 interface.
      Note: IPv6 addresses can't be used to connect to an DNS/DHCP Server appliance.
      Note: If editing a server, the Management Interface field is only available after you have first disabled the managed DNS/DHCP Server. If you want to change the IPv4 address of the Management interface (eth2), you must first re-configure the IPv4 address of the Management interface using the DNS/DHCP Server Administration Console, disable the server in Address Manager, then edit the server with the new IPv4 address.
    • Hostname—The host name used for the server on the network. For example, myhost.example.com
    • Connect to server—by default, this option is selected. It allows Address Manager to connect to the server once it's added. Deselect this check box if you don't want to connect to the server at this time.
      Note: The Connect to server check box must be selected in order to click the Detect Server Settings button which is required to add the server to Address Manager.
    • Upgrade to latest version—by default, this option is deselected. This provides a safe environment to add a DNS/DHCP Server in Address Manager without applying an unintentional software update. Select the check box only if you want to apply the latest version of DNS/DHCP Server software once the appliance is under Address Manager control.
      Note: BlueCat recommends upgrading the DNS/DHCP Server software only after first adding the server to Address Manager. Add the server without selecting the Upgrade to latest version check box. After the server has been added to Address Manager, upgrade the server software. For details, refer to Upgrading DNS/DHCP Server software.
    • Password—enter the server password. You must enter a password in order to click the Detect Server Settings button. For more information on the default server password, refer to BlueCat default login credentials (you must be authenticated to view this topic).
    • Location(Optional) select a location from the drop-down menu on which the server object that you are adding or editing will be based. The most often used location objects will be shown at the top of the list followed by all other lists in alphabetical order.
  4. Click Detect Server Settings. Address Manager will check the DNS/DHCP Server software version, interface count, state of Dedicated Management, IP address, and redundancy scenario (4-port appliances only).
  5. OPTIONAL: complete the following (available fields depend on the number of interfaces of your DNS/DHCP Server):
    • Service interface—set an IPv4 address and netmask that will be used only for services traffic such as DNS, DHCP, DHCPv6 and TFTP (3 and 4-port appliances only). If Dedicated Management has been previously enabled, you will see the IPv4 address you configured on eth2 in the DNS/DHCP Server Administration Console.
      • IPv6 Address and Subnet—configure an IPv6 address and subnet to the Service interface (eth2). If you assigned an IPv6 address from the DNS/DHCP Server Administration Console during initial set-up of the DNS/DHCP Server, the fields will be automatically populated. For example:
        • IPv6 address: 2001:db8::AC10:FE02
        • Subnet: 64
          Note: The configured IPv6 address is automatically set as the Primary IPv6 address. You must set the Primary IPv6 address BEFORE placing the server under Address Manager control.
          Note: You can't set the IPv6 gateway from the Address Manager user interface. You must configure an IPv6 gateway from the DNS/DHCP Server Administration Console to ensure correct operation of IPv6 functionality.
    • xHA Backbone—select the check box if you want to configure the xHA interface and specify the IPv4 address and netmask to be used.
    • Enable Redundancy—select the check box to enable networking redundancy (4-port appliances only) or deselect to disable network redundancy. From the Scenario drop-down menu, select either Active/Backup or Active/Active (802.3ad).
      Note: You can't enable network redundancy from the Add Server page if any VLAN interfaces are present on the Service interface (eth0). If necessary, remove any configured VLAN interfaces using the DNS/DHCP Server Administration Console, then add the server to Address Manager and enable network redundancy. Once the server is under Address Manager control you can configure VLAN interfaces from the Address Manager user interface (Servers > Service Configuration > Interfaces).

      If you require VLAN Tagging with port bonding, you must first enable bonding then immediately configure VLAN interfaces.

  6. OPTIONAL: Under Monitoring Settings, select the following (only available if the DNS/DHCP Server Monitoring Service is enabled):
    • Using default monitoring setting [Enabled]—selected by default. Leave selected to use the DNS/DHCP Server monitoring settings configured for the configuration.
    • Override global monitoring setting—select to set custom monitoring settings for the server, then select Monitor this Server and configure the following SNMP Parameter settings:
      • Version—select the SNMP version for the monitored servers.
      • Port Number—indicates the SNMP port BAM uses to communicate with the monitored servers. The default port is 161. You can't change the port.
      • Community String—type the SNMP Community String used for authentication and click Add. The Community String appears in the list. You can add up to 100 Community Strings to the list. Strings are used in the order presented in the list. To remove a string, select it from the list and click Remove. To change the order of items in the list, select an item in the list and click Move up or Move down.
  7. Under Validation Options, set the following options to override DHCP and DNS services configuration or DNS zones validation settings configured at the configuration level:
    • Override configuration level DHCP validation settings—select the check box to set DHCP deployment validation options that are specific to the server. If selected, the Enable DHCP configuration validation check box appears.
      • Enable DHCP configuration validation—select the check box to check the syntax of the dhcpd.conf file and validate data prior to deployment from Address Manager.
    • Override configuration level DNS validation settings—select the check box to set deployment validation options that are specific to the server. If selected, the Enable DNS configuration validation and Enable DNS zones validation check boxes appear:
      • Enable DNS configuration validation—select the check box to check the syntax of the named.conf file and validate data prior to deployment from Address Manager.
      • Enable DNS zones validation—select the check box to check the syntax of each DNS zone file and validated data prior to deployment from Address Manager. This is equivalent to setting the -i switch for the named-checkzone tool. If selected, the DNS Zones Deployment Validation Setting section opens on the page.
  8. Under DNS Zones Validation Settings, complete the following:
    • Post-load zone integrity validation—performs syntax checks based on the mode you select for this option. Select one of the following modes:
      • Full—checks for the following conditions:
        • If MX records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
        • If SRV records refer to A or AAAA records, for both in-zone and out-of-zone hostnames.
        • If Delegation NS records refer to A or AAAA records, for both in-zone and out-of-zone hostnames
        • If glue address records in the zone match those specified by the child.
      • Local—checks for the following conditions:
        • If MX records refer to A or AAAA records, for in-zone hostnames.
        • If SRV records refer to A or AAAA records, for in-zone hostnames.
        • If Delegation NS records refer to an A or AAAA record, for in-zone hostnames.
        • If glue address records in the zone match those specified by the child.
      • Full-sibling—performs the same checks as in Full mode but doesn't check the glue records.
      • Local-sibling—performs the same checks as in Local mode but doesn't check the glue records.
    • None—disables all post-load zone integrity checks.
    • Check names—Checks names. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
    • Check if MX records are IP addresses—checks if MX records point to an IP address rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
    • Check if MX records point to CNAME records—checks if MX records point to a CNAME record rather than an A or AAAA record. This is equivalent to setting the -M switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
    • Check if NS records are IP addresses—checks if NS record point to an IP address rather than an A or AAAA record. This is equivalent to setting the -n switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
    • Check if SRV records point to CNAME records—checks is SRV record point to a CNAME record rather than A or AAAA record. This is equivalent to setting the -S switch for the named-checkzone tool. Select Ignore, Warn, or Fail to determine how Address Manager handles conditions found by this check.
    • Check for non-terminal wildcards—checks for wildcards in zone names that don't appear as the last segment of a zone name: for example, mail.*.example.com. Non-terminal wildcards are permissible, but you may want to be alerted to their presence. This is equivalent to setting the -W switch for the named-checkzone tool. Select Ignore or Warn to determine how Address Manager handles conditions found by this check.
    For the preceding options, Ignore, Warn, or Fail have the following effects:
    • Ignore—Ignores the condition, so it isn't logged in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
    • Warn—Logs the condition in the Zone Validation server log. Deployment proceeds with the zone data containing the condition.
    • Fail—Logs the condition in the Zone Validation server log. Deployment fails. The existing DNS data is left in place and the new data isn't deployed.
  9. Under Kerberos Service Principal, set the DNS and DHCP service principals:
    • Enable DNS Service Principal—select to specify the security credential for the DNS service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this check box, Realm and Principal fields appear. Select a Kerberos realm and service principal from the Realm and Principal drop-down menus.
    • Enable DHCP Service Principal—select this check box to specify the security credential for the DHCP service to use to authenticate keys requested by the GSS-TSIG protocol. When you select this check box, Realm and Principal fields appear. Select a Kerberos realm and service principal from the Realm and Principal drop-down list.
  10. Under HSM Support, complete the following:
    • Select the check box, Enable HSM Support. The Add Server page refreshes to show your HSM configuration and a drop-down menu of HSM servers.
    • From the HSM Servers drop-down menu, select an HSM server and click Add. Repeat this step to add multiple HSM servers.
    • To re-order the hierarchy of the HSM servers in the list, select an HSM server and click Move Up or Move Down. The HSM server at the top of the order will be the Primary; HSM servers below the Primary will be the Secondary, Tertiary. Click Remove to delete an HSM server from the list.
  11. Under Change Control, add comments, if required.
  12. Click Add.

In the General section of the Details tab, you will see Enable HSM Support: Yes — this confirms that HSM has been enabled on the managed BlueCat DNS Server. Also, the HSM Servers section lists the HSM server(s) linked to your managed DNS Server.

Note: Disconnected HSM servers won't be added to HSM configuration
As a best practice, verify that you are connected to all HSM servers listed in the Address Manager user interface. To confirm the connectivity status of HSM servers, perform the following:
  1. Log in to Address Manager via SSH as root.
  2. Run the following command:
    hsm-status.sh

Address Manager should return ‘connection status OK’ for each HSM server. Ensure that the number of connection status messages matches the number of HSM servers you configured in the Address Manager user interface.

If Address Manager can't connect to an HSM server(s), or if the confirmed connections are less that the number of HSM servers added to the Address Manager user interface, refer to Troubleshooting.

With HSM enabled on your managed DNS Servers, the next step is to create an DNSSEC-HSM policy.