Versions Compared

Old Version 5

changes.mady.by.user Shwetha S

Saved on

compared with

New Version 6

changes.mady.by.user Shwetha S

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Grid: On the Data Management tab, select the DNS tab. Expand the Toolbar and click Grid DNS Properties.
    Zone: On the Data Management tab, select the DNS tab -> Zones tab -> zone checkbox, and then click the Edit icon. Click Override to override the parameters.
    Standalone appliance: On the Data Management tab, select the DNS tab. Expand the Toolbar and click System DNS Properties.

  2. In the editor, click Toggle Advanced Mode.

  3. When the additional tabs appear, click DNSSEC.

  4. On the DNSSEC tab, click the Basic tab and complete the following:

    • Resource Record Type for Nonexistent Proof: Select the resource record type (NSEC or NSEC3) you want to use for handling non-existent names in DNS. The default is NSEC3. The algorithms used by the KSK and ZSK can generate the same type of NSEC record. Note that a zone cannot contain both NSEC and NSEC3 resource records.

    • Key-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the KSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size as 2048.
      Following are the valid values for each algorithm:
      RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits.
      RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 2048 bits.
      RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 2048 bits.
      ECDSAP/SHA-256: The minimum is 160 bits, the maximum is 256 bits.
      ECDSAP/SHA-384: The minimum is 160 bits, the maximum is 384 bits.
      You can delete an algorithm by selecting it and clicking the Delete icon.

    • Key-signing Key Rollover Interval: Specify the key signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is one year.

    • Zone-signing Key: Click the Add icon to add the cryptographic algorithm that the Grid Master or HSM uses when it generates the ZSK. You can add multiple algorithms, but you cannot add the same algorithm more than once. Grid Manager adds a row to the table each time you click the Add icon. Select the row and the algorithm from the drop-down list and enter the key size for the algorithm. The default is RSA/SHA1 with the key size 1024.
      Following are the valid values for each algorithm:
      RSA/SHA1: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits. 
      RSA/SHA-256: The minimum is 512 bits, the maximum is 4096 bits, and the default is 1024 bits. 
      RSA/SHA-512: The minimum is 1024 bits, the maximum is 4096 bits, and the default is 1024 bits.
      ECDSAP/SHA-256: The minimum is 160 bits, the maximum is 256 bits.
      ECDSAP/SHA-384: The minimum is 160 bits, the maximum is 384 bits.
      You can delete an algorithm by selecting it and clicking the Delete icon.

    • Zone-signing Key Rollover Interval: Specify the zone signing key rollover interval for all the algorithms. The minimum value is one day and the maximum is the time remaining to January 2038. The default is 30 days.

    • Signature Validity: Specify the signature validity period for RRSIG RRs. The minimum is one day and the maximum is 3660 days. The default signature validity interval is four days.

    • Zone-signing Key rollover method: You can use either of these methods to sign all the RRsets in a zone:

      1. Pre-publish: Select this if you want to use the pre-publish signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. When you select this option, the record sets are signed using a single key. The appliance sets this option as the default zone-signing key method for NIOS 8.6.11.0 x and later releases.

      2. Double Sign: Select this if you want to use the double signature scheme to sign all the RRsets in a zone while performing the ZSK rollover. The non-DNSKEY RRset are signed twice, which increases the size of the zone files.

        Note that you can select the Zone-signing Key rollover method only after you enable DNSSEC.

  5. Save the configuration and click Restart if it appears at the top of the screen.

...