Managing DNSSEC key rollover and generation - BlueCat Integrity - 9.5.0

Address Manager Administration Guide

Product name
BlueCat Integrity

Address Manager handles the generation and roll over of DNSSEC keys automatically according to the key parameters in the DNSSEC or DNSSEC-HSM signing policy.

However, there may be situations where you need to generate or roll over keys manually:
  • Automatic Key Generation / Manual Key Generation—If automatic key generation is disabled, or if you need to perform an on-demand key rollover, use the Auto Generate Keys function to manually generate ZSKs and KSKs to replace existing keys that are within their Overlap Interval. Keys that aren't within their Overlap Interval can't be generated manually. For information on setting the Overlap Interval, refer to Creating a DNSSEC signing policy. This function can be used at the zone level for all keys in a signed zone.
  • Emergency Key Rollover—If DNSSEC keys have become compromised, use the Emergency Rollover Active Keys function to immediately roll over your existing keys. This function can be used at the zone level for all keys in a signed zone, or at the key level for individual DNSSEC keys.

After performing either of these functions, you must deploy the configuration to re-sign the zone on your servers.