no-nonsense, objective, experienced, honest


The Blog of an honest Consultant.

2020-03-18

DNSSEC Requirements concerning IPAM

The IPAM system, which is used to manage DNS should support the following capabilities with regards to DNSSEC:
# Hosting of DNSSEC-enabled Zones
_- incl. RFC 4034 Records (DNSKEY, RRSIG, NSEC, DS)
_- incl. RFC 5155 Records (NSEC3)
_- incl. RFC 8078 Records (CDS/CDNSKEY)
# Enable/disable DNSSEC per Server and Zone
# Enable/disable Validation of non-managed signed Zones
# Key Management with optional Hardware Security Module (HSM) Integration
# Assignment of Parameters for Zone Signing via centrally managed Policies
# Automatic Key Rollover for ZSK/KSK
# Emergency Key Rollover for ZSK/KSK
# Key Export for ZSK/KSK (DNSKEY/DS Record, Trust Anchor, etc.)
# Notifications for automatic ZSK Rollovers
# Notifications for KSK Expiration
# ZSK/KSK Rollover with Double-Signature and with Pre-publish

Admin - 14:46 @ dns, security, dnssec