Breadcrumbs

Sign Forward Lookup Zone

  1. Click on Server Manager by selecting Start > Server Manager.

  2. Click Tools and open DNS Manager.

tmp6i2zxz6j.jpg

Server Manager

  1. In the DNS Manager, browse to your Domain name, then right click on the forward zone that you have created.

  2. Click DNSSEC and then click Sign the Zone.

tmp8u3odj6h.jpg

Sign the Zone

  1. In the Zone Signing Wizard, click Next.

tmpqu0of4hn.jpg

Zone Signing Wizard

  1. In the Zone Signing Wizard options, click Customize zone signing parameters, and then click Next.

tmpzk9gzdsx.jpg

Signing Options

  1. On the Key Signing Key (KSK) Wizard, click Next.

tmp3uh5uzak.jpg

Key Signing Key

  1. On the Key Signing Key (KSK) Wizard, click Add.

tmp6vf56ylm.jpg

Key Signing Key Wizard

  1. On the New Key Signing Key (KSK) Wizard, from the dropdown of Select a key storage provider to generate and store keys, select Utimaco CryptoServer Key Storage Provider.

  2. Provide other information such as Cryptographic Algorithm and Key Length and then click OK.

  3. Uncheck the rollover option.

tmpo7ysa0l4.jpg

New Key Signing Key

Automatic key rollover is not supported with Utimaco HSM. The user has to manually rollover the keys before their expiry.

  1. On the Key Signing Key (KSK) interface, click Next.

tmpsojzkpq5.jpg

New Key Signing Key

  1. On the Zone Signing Key (ZSK) Wizard, click Next.

tmpw5gesr3s.jpg

Zone Signing Key Wizard

  1. On the Zone Signing Key (ZSK) interface, click Add.

  2. On the New Zone Signing Key (ZSK) interface, from the dropdown of Select a key storage provider to generate and store keys, select Utimaco Key Storage Provider.

  3. Provide other information such as Cryptographic Algorithm and Key Length and click OK.

  4. Uncheck the rollover option.

tmp7aeyc9z6.jpg

New Zone Signing Key

Automatic key rollover is not supported with Utimaco HSM. The user has to manually rollover the keys before their expiry.

  1. On the Zone Signing Key (ZSK) Wizard, click Next.

tmpi4kf78ag.jpg

Configure parameters for Zone Signing Key

  1. On the Next Secure (NSEC) Wizard select NSEC3, click Next.

tmp8evu_l23.jpg

Next Secure Wizard

  1. On the Trust Anchors (TAs) interface, check the Enable the distribution of trust anchors for this zone box, and click Next.

tmpnipwm6mw.jpg

Trust Anchors

  1. On the Signing and Polling Parameters wizard, click Next.

tmphdgmrxa7.jpg

Signing and Polling Parameters

  1. On the DNS Security Extensions (DNSSEC) interface, click Next, and then click Finish.

tmp8sehdys0.jpg

DNS Security Extensions

tmpvtv8r6l1.jpg

Signing the Zone

  1. In the DNS console, expand Trust Points, then select com and select utitest, and click your domain name.

  2. Ensure that the DNSKEY resource records display, and that their status is valid.

tmpmettllb6.jpg

DNS Manager

  1. Open Server Manager, click Tools and open Group Policy Management.

tmporuja835.jpg

Server Manager

  1. Next, open Local Computer policy -> Computer Configuration -> Windows Settings -> Name Resolution Policy.

tmprm8hm4yy.jpg

Local Group Policy Editor

  1. In the right pane, under Create Rules, in the Suffix box, type utitest.com to apply the rule to the suffix of the namespace.

  2. Select both the Enable DNSSEC in this rule check box and the Require DNS clients to check that the name and address data has been validated by the DNS server check box, and click Create.

  3. Restart DNS service and check its settings.

›_ Console 

C:\> net stop dns

C:\> net start dns C:\> Get-DnsServer
tmp8_39hivl.png

DNS service stop and start

tmpd6bjtl9q.jpg

DNS Manager

  1. Verify that the keys are generated on the HSM.

›_ Console 

C:\> cngtool ListKeys