Versions Compared

Old Version 3

changes.mady.by.user Aliaksei Shautsou

Saved on

compared with

New Version 4

changes.mady.by.user Aliaksei Shautsou

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Grid: From the Data Management tab, select the DNS tab. Expand the Toolbar and click Grid DNS Properties.
    zZoneZone: From the Data Management tab, select the DNS tab -> Zones tab -> zone check box, and click the Edit icon. Click Override to override the parameters.
    Standalone appliance: From the Data Management tab, select the DNS tab. Expand the Toolbar and click System DNS Properties.
  2. In the editor, click Toggle Advanced Mode.
  3. When the additional tabs appear, click DNSSEC.
  4. In the DNSSEC tab, click the Basic tab and complete the following:
    • Resource Record Type for Nonexistent Proof: Select the resource record type (NSEC or NSEC3) you want to use for handling non-existent names in DNS. The default is NSEC3. The algorithms used by the KSK and ZSK can generate the same type of NSEC record. Note that a zone cannot contain both NSEC and NSEC3 resource records.
    • Key-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the KSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size 2048.
      Following are the valid values for each algorithm:
      DSA: The minimum is 512 bits and the maximum is 1024 bits, which is also the default. The key length must be a multiple of 64. Note that Thales HSMs do not support DSA.
      RSA/MD5: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits. You can configure this for NSEC only.
      RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits. RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits. RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 2048 bits.
      You can delete an algorithm by selecting it and clicking the Delete icon.
    • Key-signing Key Rollover Interval: You can specify the key signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is one year.
    • Zone-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the ZSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size 1024.
      Following are the valid values for each algorithm:
      DSA: The key length must be a multiple of 64. The minimum is 512 bits and the maximum is 1024 bits. The default is 1024 bits. Note that Thales HSMs do not support DSA.
      RSA/MD5: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits. You can configure this for NSEC only.
      RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits. 
      RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits. 
      RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 1024 bits.
      You can delete an algorithm by selecting it and clicking the Delete icon.
    • Zone-signing Key Rollover Interval: You can specify the zone signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is 30 days.
    • Signature Validity: Specify the signature validity period for RRSIG RRs. The minimum is one day and the maximum is 3660 days. The default signature validity interval is four days.
    • Zone-signingKeyrollovermethod: You can use either of these methods to sign all the RRsets in a zone:
      • Pre-publish: Select this if you want to use the pre-publish signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. When you select this option, the record sets are signed using a single key. The appliance sets this option as the default zone-signing key method for NIOS 6.11.0 and later releases.
      • Double Sign: Select this if you want to use the double signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. The non-DNSKEY RRset are signed twice, which increases the size of the zone files.

...