Manual Chapter :
Configuring DNSSEC
Applies To:
Show VersionsBIG-IP LTM
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
BIG-IP DNS
- 17.1.1, 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Configuring DNSSEC
Introducing DNSSEC
About DNSSEC
Domain Name System Security Extensions
(DNSSEC)
is an industry-standard protocol that functions as an extension to the Domain
Name System (DNS) protocol. BIG-IP DNS uses DNSSEC to
guarantee the authenticity of DNS responses, including zone transfers, and to return Denial of
Existence responses thus protecting your network against DNS protocol and DNS server attacks.
About DNSSEC
keys
BIG-IP DNS, formerly Global Traffic Manager (GTM), uses two types of DNSSEC keys to return DNSSEC-compliant responses: a
zone-signing key
to sign all of the records in a DNSSEC resource
record set, and a key-signing
key to sign only the DNSKEY
record (that is the zone-signing key) of a DNSSEC record set.About enhancing DNSSEC
key security
To enhance DNSSEC key security, when automatic key management is configured,
BIG-IP DNS uses an automatic key rollover process that uses overlapping generations of a key to
ensure that BIG-IP DNS can always respond to queries with DNSSEC-compliant responses. BIG-IP DNS
dynamically creates new generations of each key based on the values of the
Rollover Period
and Expiration Period
of the key. The first generation of a key has an ID of 0 (zero). Each time BIG-IP DNS
dynamically creates a new generation of a key, the ID increments by one. Over time, each
generation of a key overlaps the previous generation of the key ensuring that BIG-IP DNS can
respond to a DNSSEC query even if one generation of a key becomes unavailable. When a generation
of a key expires, BIG-IP DNS automatically removes that generation of the key from the
configuration. The value of the
TTL
(time-to-live)
of a key specifies how long a client resolver can cache the key.How do I prepare for a manual rollover of a DNSSEC key?
When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to
create a disabled standby version of each key that has a similar name. When you
associate both pairs of keys with the same zone, you can easily perform a manual
rollover of the keys, should an enabled key become compromised.
About SEP records and DNSSEC
Each DNSSEC zone has a list of read-only Security Entry Point (SEP) records. The BIG-IP
DNS creates these records
automatically when you create a zone. These SEP records consist of Delegation Signer (DS) and
DNSKEY records.
Obtaining a trust or DLV anchor
Determine the signed zones from which you want to obtain a trust or DLV
anchor.
If you want the BIG-IP system to cache a validated response
for the signed zones, you need to obtain a trust or DLV anchor.
- On the Main tab, click.The DNSSEC Zone List screen opens.
- Click the name of the DNSSEC zone for which you want to view or copy SEP records.
- On the menu bar, clickSEP Records.The SEP records display for each generation of a key. If the SEP record screen is unexpectedly blank, ensure that at least one data center and a server representing the BIG-IP DNS device exist in the BIG-IP system configuration.
- Copy the trust or DLV anchor from theDNSKEY Recordfield.
About configuring
DNSSEC
You can use BIG-IP DNS to
ensure that all responses to DNS-related traffic comply with the DNSSEC security
protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing
keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one
enabled zone-signing key to the zone.
About configuring
basic DNSSEC
You can secure the DNS traffic handled by BIG-IP DNS using the DNSSEC protocol.
Before
you configure DNSSEC, ensure that at least one data center and a server representing the BIG-IP
DNS device exist in the BIG-IP system configuration.
Task summary
Perform these tasks to configure DNSSEC on BIG-IP DNS.Creating listeners to identify DNS traffic
Create listeners to identify the DNS traffic that BIG-IP
DNS handles. The best practice is to create four listeners: one
with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that
handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the
same IPv6 address that handles TCP traffic. If you
have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
DNS zone transfers use TCP
port
53
. If you do not configure listeners for TCP the client
might receive the error: connection refused or TCP RSTs.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type an IPv4 address on which BIG-IP DNS listens for network traffic.
- In the Service area, from theProtocollist, selectUDP.
- ClickFinished.
Create another listener with the same IPv4
address and configuration, but select
TCP
from the
Protocol
list. Then, create two more listeners, configuring
both with the same IPv6 address, but one with the UDP protocol and one with the TCP
protocol.Create automatically managed DNSSEC zone-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in this procedure are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC
authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type1024.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type21.
- For the Expiration Period setting, in theDaysfield, type30.Zero seconds indicates not set, and thus the key does not expire.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating manually managed DNSSEC zone-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create manually-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication
process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create automatically managed DNSSEC key-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in these steps are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type2048.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type340.
- For the Expiration Period setting, in theDaysfield, type365.Zero seconds indicates not set, and thus the key does not expire.The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create manually managed DNSSEC key-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create a DNSSEC zone
Before you configure DNSSEC, ensure that at least one data center and a server object
representing the BIG-IP device exist in the BIG-IP system configuration.
The DNSSEC feature is available only when the BIG-IP system is licensed
for BIG-IP DNS.
In
order for the BIG-IP system to sign DNS requests (including zone transfer requests) for a zone
using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled
zone-signing and one enabled key-signing key to the
zone.
- On the Main tab, click.The DNSSEC Zone List screen opens.
- ClickCreate.The New DNSSEC Zone screen opens.
- From theGeneral Propertieslist, selectAdvanced.
- In theNamefield, type a domain name.For example, use a zone name ofsiterequest.comto handle DNSSEC requests forwww.siterequest.comand*.www.siterequest.com.
- From theStatelist, selectEnabled.
- To specify the hash algorithms the BIG-IP system uses to create Delegation Signer (DS) resource records, forDS Record Hash Algorithms, from theAvailablelist, selectSHA-1,SHA-256, or both, and move to theActivelist.
- ForNSEC3 Iterations, type the number of times to hash theNext Secure (NSEC3)names.The default is1.
- From theIndicate Authenticated when Authoritativelist, selectEnabledto set the Authenticated Data (AD) flag to true for DNSSEC zone authoritative answers.The default isDisabled.
- For thePublish CDS/CDNSKEY, selectEnabledto allow for the CDS/CDNSKEY record types to publish for a given BIG-IP DNSSEC zone.The default isDisabled.
- For theZone Signing Keysetting, assign at least one enabled zone-signing key to the zone.You can associate the same zone-signing key with multiple zones.
- For theKey Signing Keysetting, assign at least one enabled key-signing key to the zone.You can associate the same key-signing key with multiple zones.
- ClickFinished.Even if you selectedEnabledfrom theStatelist, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Now
you can upload the DS records for this zone to the organization that manages the parent zone. The
administrators of the parent zone sign the DS record with their own key and upload it to their
zone. You can find the DS records in the Configuration
utility.
Confirming that BIG-IP
DNS is signing DNSSEC records
After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP DNS is signing
the DNSSEC records.
- Log on to the command-line interface of a client.
- At the prompt, type:dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>BIG-IP DNS returns the signed RRSIG records for the zone.
About configuring
DNSSEC with an external HSM
You can configure BIG-IP DNS to
use the DNSSEC protocol to secure the DNS traffic handled by BIG-IP DNS in conjunction with an
external HSM system.
Before
you configure DNSSEC, ensure that at least one data center and a server object representing the
BIG-IP DNS device exist in the BIG-IP system configuration.
Task summary
Perform these tasks to configure DNSSEC on BIG-IP DNS. Creating listeners to identify DNS traffic
Create listeners to identify the DNS traffic that BIG-IP
DNS handles. The best practice is to create four listeners: one
with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that
handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the
same IPv6 address that handles TCP traffic. If you
have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
DNS zone transfers use TCP
port
53
. If you do not configure listeners for TCP the client
might receive the error: connection refused or TCP RSTs.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type an IPv4 address on which BIG-IP DNS listens for network traffic.
- In the Service area, from theProtocollist, selectUDP.
- ClickFinished.
Create another listener with the same IPv4
address and configuration, but select
TCP
from the
Protocol
list. Then, create two more listeners, configuring
both with the same IPv6 address, but one with the UDP protocol and one with the TCP
protocol.Creating automatically managed DNSSEC zone-signing keys for use with an external HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Only
Thales HSM supports automatic key creation. The values recommended in this procedure are based
on the values in the NIST
Secure Domain Name System (DNS) Deployment
Guide
.Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectExternal, if you use a network HSM.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.Only Thales HSM supports automatic key creation.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type1024.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type21.
- For the Expiration Period setting, in theDaysfield, type30.Zero seconds indicates not set, and thus the key does not expire.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating manually managed DNSSEC zone-signing keys for use with an external HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectExternal, if you use a network HSM.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating automatically managed DNSSEC key-signing keys for use with an external HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in this procedure are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectExternal, if you use a network HSM.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type2048.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type340.
- For the Expiration Period setting, in theDaysfield, type365.Zero seconds indicates not set, and thus the key does not expire.The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating manually managed DNSSEC key-signing keys for use with an external HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectExternal, if you use a network HSM.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create a DNSSEC zone
Before you configure DNSSEC, ensure that at least one data center and a server object
representing the BIG-IP device exist in the BIG-IP system configuration.
The DNSSEC feature is available only when the BIG-IP system is licensed
for BIG-IP DNS.
In
order for the BIG-IP system to sign DNS requests (including zone transfer requests) for a zone
using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled
zone-signing and one enabled key-signing key to the
zone.
- On the Main tab, click.The DNSSEC Zone List screen opens.
- ClickCreate.The New DNSSEC Zone screen opens.
- From theGeneral Propertieslist, selectAdvanced.
- In theNamefield, type a domain name.For example, use a zone name ofsiterequest.comto handle DNSSEC requests forwww.siterequest.comand*.www.siterequest.com.
- From theStatelist, selectEnabled.
- To specify the hash algorithms the BIG-IP system uses to create Delegation Signer (DS) resource records, forDS Record Hash Algorithms, from theAvailablelist, selectSHA-1,SHA-256, or both, and move to theActivelist.
- ForNSEC3 Iterations, type the number of times to hash theNext Secure (NSEC3)names.The default is1.
- From theIndicate Authenticated when Authoritativelist, selectEnabledto set the Authenticated Data (AD) flag to true for DNSSEC zone authoritative answers.The default isDisabled.
- For thePublish CDS/CDNSKEY, selectEnabledto allow for the CDS/CDNSKEY record types to publish for a given BIG-IP DNSSEC zone.The default isDisabled.
- For theZone Signing Keysetting, assign at least one enabled zone-signing key to the zone.You can associate the same zone-signing key with multiple zones.
- For theKey Signing Keysetting, assign at least one enabled key-signing key to the zone.You can associate the same key-signing key with multiple zones.
- ClickFinished.Even if you selectedEnabledfrom theStatelist, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Now
you can upload the DS records for this zone to the organization that manages the parent zone. The
administrators of the parent zone sign the DS record with their own key and upload it to their
zone. You can find the DS records in the Configuration
utility.
Confirming that BIG-IP
DNS is signing DNSSEC records
After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP DNS is signing
the DNSSEC records.
- Log on to the command-line interface of a client.
- At the prompt, type:dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>BIG-IP DNS returns the signed RRSIG records for the zone.
Configuring DNSSEC with an internal HSM
You can configure BIG-IP DNS to use the DNSSEC protocol to secure the DNS traffic handled by BIG-IP DNS in
conjunction with an internal HSM system.
Before you configure DNSSEC, ensure that at least one data center and a
server representing the BIG-IP DNS device exist in the BIG-IP system configuration.
Creating listeners to identify DNS traffic
Create listeners to identify the DNS traffic that BIG-IP
DNS handles. The best practice is to create four listeners: one
with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that
handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the
same IPv6 address that handles TCP traffic. If you
have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
DNS zone transfers use TCP
port
53
. If you do not configure listeners for TCP the client
might receive the error: connection refused or TCP RSTs.
- On the Main tab, click.The Listeners List screen opens.
- ClickCreate.The Listeners properties screen opens.
- In theNamefield, type a unique name for the listener.
- For the Destination setting, in theAddressfield, type an IPv4 address on which BIG-IP DNS listens for network traffic.
- In the Service area, from theProtocollist, selectUDP.
- ClickFinished.
Create another listener with the same IPv4
address and configuration, but select
TCP
from the
Protocol
list. Then, create two more listeners, configuring
both with the same IPv6 address, but one with the UDP protocol and one with the TCP
protocol.Creating automatically managed DNSSEC zone-signing keys for use with an internal HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in this procedure are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process in
conjunction with an internal HSM.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectInternalif you use a FIPS internal HSM card.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type1024.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type21.
- For the Expiration Period setting, in theDaysfield, type30.Zero seconds indicates not set, and thus the key does not expire.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating automatically managed DNSSEC key-signing keys for use with an internal HSM
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in this procedure are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process in
conjunction with an internal HSM.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectInternalif you use a FIPS internal HSM card.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type2048.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type340.
- For the Expiration Period setting, in theDaysfield, type365.Zero seconds indicates not set, and thus the key does not expire.The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create a DNSSEC zone
Before you configure DNSSEC, ensure that at least one data center and a server object
representing the BIG-IP device exist in the BIG-IP system configuration.
The DNSSEC feature is available only when the BIG-IP system is licensed
for BIG-IP DNS.
In
order for the BIG-IP system to sign DNS requests (including zone transfer requests) for a zone
using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled
zone-signing and one enabled key-signing key to the
zone.
- On the Main tab, click.The DNSSEC Zone List screen opens.
- ClickCreate.The New DNSSEC Zone screen opens.
- From theGeneral Propertieslist, selectAdvanced.
- In theNamefield, type a domain name.For example, use a zone name ofsiterequest.comto handle DNSSEC requests forwww.siterequest.comand*.www.siterequest.com.
- From theStatelist, selectEnabled.
- To specify the hash algorithms the BIG-IP system uses to create Delegation Signer (DS) resource records, forDS Record Hash Algorithms, from theAvailablelist, selectSHA-1,SHA-256, or both, and move to theActivelist.
- ForNSEC3 Iterations, type the number of times to hash theNext Secure (NSEC3)names.The default is1.
- From theIndicate Authenticated when Authoritativelist, selectEnabledto set the Authenticated Data (AD) flag to true for DNSSEC zone authoritative answers.The default isDisabled.
- For thePublish CDS/CDNSKEY, selectEnabledto allow for the CDS/CDNSKEY record types to publish for a given BIG-IP DNSSEC zone.The default isDisabled.
- For theZone Signing Keysetting, assign at least one enabled zone-signing key to the zone.You can associate the same zone-signing key with multiple zones.
- For theKey Signing Keysetting, assign at least one enabled key-signing key to the zone.You can associate the same key-signing key with multiple zones.
- ClickFinished.Even if you selectedEnabledfrom theStatelist, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Now
you can upload the DS records for this zone to the organization that manages the parent zone. The
administrators of the parent zone sign the DS record with their own key and upload it to their
zone. You can find the DS records in the Configuration
utility.
Confirming that BIG-IP
DNS is signing DNSSEC records
After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP DNS is signing
the DNSSEC records.
- Log on to the command-line interface of a client.
- At the prompt, type:dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>BIG-IP DNS returns the signed RRSIG records for the zone.
About DNSSEC signing of zone transfers
You can configure the BIG-IP system to sign zone transfers using DNSSEC keys. With this configuration, the DNS name servers (clients) requesting zone transfers can serve DNSSEC-signed responses to DNS queries.
The BIG-IP system manages the DNSSEC keys and signs the zone transfers even when external HSMs or FIPS cards are used in the configuration. With this configuration, the BIG-IP system must contain a DNSSEC zone with DNSSEC keys and a DNS zone with a list of DNS name servers that can request zone transfers for the zone.
The DNSSEC feature is available only when a BIG-IP system is licensed for BIG-IP DNS (formerly GTM).
Example of DNS Express signing zone transfers with DNSSEC keys
In this figure, a zone is hosted on an authoritative DNS server, that is not secured with DNSSEC keys. An administrator at Site Request creates a DNS zone with a DNS Express™ server and a DNSSEC zone with DNSSEC keys. The name of both zones on the BIG-IP system match the name of the zone on the authoritative DNS server. The creation of the DNS zone initiates an unsigned zone transfer request from DNS Express to the authoritative DNS server that hosts the zone. The server responds with an unsigned zone transfer and the zone is loaded into DNS Express as an unsigned zone.
In this figure, when the zone is updated, the zone transfer from the server to DNS Express is unsigned. The zone is stored in DNS Express as an unsigned zone. However, when the BIG-IP system receives a zone transfer request, the system signs the zone transfer using DNSSEC keys and sends the signed zone transfer to a DNS name server (client).
The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Example of DNS zone proxy with DNSSEC
In this figure, a zone is hosted on an authoritative DNS server, that is not secured with DNSSEC. The BIG-IP system is configured with both a DNS zone and a DNSSEC zone that match the zone name on the server. The system can forward zone transfer requests to the DNS server, and then sign the response with DNSSEC keys, before sending the response to the client (authoritative DNS name servers (clients) and cloud providers). This allows the clients and cloud providers to serve DNSSEC-signed DNS queries and responses.
- DNS name server (client) sends zone transfer request for a DNS zone.
- The BIG-IP system forwards the request to the authoritative DNS server.
- DNS server answers with zone transfer.
- The BIG-IP system signs the zone transfer with DNSSEC keys.
- The BIG-IP system sends the DNSSEC-signed zone transfer to the client that made the request.
The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Example of BIG-IP load balancing zone transfer request to pool of DNS servers and returning DNSSEC-signed zone transfer
In this figure, a zone is hosted on a pool of authoritative DNS servers. The servers are not secured with DNSSEC. The BIG-IP system is configured with both a DNS zone and a DNSSEC zone that match the zone name on the servers. The BIG-IP system can forward zone transfer requests to a pool member, and then sign the response with DNSSEC keys, before sending the DNSSEC-signed zone transfer to the client (authoritative DNS name server or cloud provider). This allows the clients and cloud providers to serve DNSSEC-signed DNS queries and responses.
- DNS name server (client) or cloud provider sends zone transfer request for a DNS zone.
- BIG-IP forwards the request to a member of the pool of authoritative DNS servers that host the zone.
- The pool member responds with a zone transfer.
- BIG-IP signs the zone transfer with DNSSEC keys.
- BIG-IP sends the DNSSEC-signed zone transfer to the client that made the request.
The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Enable BIG-IP to respond to zone transfer requests
To enable the BIG-IP system to sign zone transfers, create a
custom DNS profile, and then assign the profile to a listener.
- On the Main tab, click.The DNS profile list screen opens.
- ClickCreate.The New DNS Profile screen opens.
- In theNamefield, type a unique name for the profile.
- Select theCustomcheck box.
- In the DNS Traffic area, from theZone Transferlist, selectEnabled.
- In the DNS Features area, from theUse BIND Server on BIG-IPlist, selectDisabled.
- ClickFinished.
Assign the profile to a listener.
DNS zone transfers use TCP
port
53
. Ensure that you use at least one listener configured
for TCP.Enable a DNS listener to process DNSSEC traffic
Ensure that a custom DNS profile is present in the configuration with
Zone Transfer
enabled and Use BIND server on
BIG-IP
disabled.When you implement DNSSEC zone transfer signing, you must modify the listeners that
identify the DNSSEC traffic that the BIG-IP system handles by adding a custom DNS
profile enabled for DNSSEC and zone transfers. If you created four listeners to handle
your IPv4 and IPv6, UDP and TCP traffic, add the custom DNS profile to all four
listeners.
DNS zone transfers use TCP port
53
. Ensure that
you use at least one listener configured for TCP.If you
have multiple BIG-IP DNS systems in a device group, perform this procedure on only one BIG-IP DNS
system.
- On the Main tab, click.The Listeners List screen opens.
- Click the name of the listener you want to modify.
- In the Service area, from theDNS Profilelist, select the custom DNS profile withZone Transferenabled, andUse BIND server on BIG-IPdisabled.
- ClickFinished.
- Perform steps 2 - 4 to modify each of the other listeners.
Create automatically managed DNSSEC zone-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in this procedure are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create automatically managed zone-signing keys for BIG-IP DNS to use in the DNSSEC
authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type1024.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type21.
- For the Expiration Period setting, in theDaysfield, type30.Zero seconds indicates not set, and thus the key does not expire.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Creating manually managed DNSSEC zone-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create manually-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication
process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectZone Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create automatically managed DNSSEC key-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
Determine the values you want to configure for the rollover period, expiration period, and TTL
of the keys, using the following criteria:
- The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
- The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
- The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
The values recommended in these steps are based on the values in the NIST
Secure Domain Name System (DNS) Deployment Guide
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectAutomatic.The Key Settings area displays fields for key configuration.
- In theBit Widthfield, type2048.
- In theTTLfield, accept the default value of86400(the number of seconds in one day.)This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
- For the Rollover Period setting, in theDaysfield, type340.
- For the Expiration Period setting, in theDaysfield, type365.Zero seconds indicates not set, and thus the key does not expire.The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
- For the Signature Validity Period setting, accept the default value of seven days.This value must be greater than the value of the signature publication period.Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
- For the Signature Publication Period setting, accept the default value of four days and 16 hours.This value must be less than the value of the signature validity period.Zero seconds indicates not set, and thus the signature is not cached.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create manually managed DNSSEC key-signing keys
Ensure that the time setting on BIG-IP
DNS is synchronized with the NTP servers on your network. This ensures that
each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.
When you plan to manually create keys, install the certificate and key pairs on the BIG-IP
system, before you attempt to create DNSSEC keys.
Certificate and
key file pairs must have the same name, for example,
exthsm.crt
and
exthsm.key
.Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
- On the Main tab, click.The DNSSEC Key List screen opens.
- ClickCreate.The New DNSSEC Key screen opens.
- In theNamefield, type a name for the key.Zone names are limited to63characters.
- From theTypelist, selectKey Signing Key.
- From theStatelist, selectEnabled.
- From theHardware Security Modulelist, selectNone.
- From theAlgorithmlist, select the digest algorithm the system uses to generate the key signature. Your options areRSA/SHA1,RSA/SHA256, andRSA/SHA512.
- From theKey Managementlist, selectManual.The Key Settings area displaysCertificateandPrivate Keylists.
- In the Key Settings area, select a certificate/key pair:
- From theCertificatelist, select a certificate.
- From thePrivate Keylist, select the key that matches the certificate you selected.
- ClickFinished.
- To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and selectDisabledfrom theStatelist.
Create a DNSSEC zone
Before you configure DNSSEC, ensure that at least one data center and a server object
representing the BIG-IP device exist in the BIG-IP system configuration.
The DNSSEC feature is available only when the BIG-IP system is licensed
for BIG-IP DNS.
In
order for the BIG-IP system to sign DNS requests (including zone transfer requests) for a zone
using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled
zone-signing and one enabled key-signing key to the
zone.
- On the Main tab, click.The DNSSEC Zone List screen opens.
- ClickCreate.The New DNSSEC Zone screen opens.
- From theGeneral Propertieslist, selectAdvanced.
- In theNamefield, type a domain name.For example, use a zone name ofsiterequest.comto handle DNSSEC requests forwww.siterequest.comand*.www.siterequest.com.
- From theStatelist, selectEnabled.
- To specify the hash algorithms the BIG-IP system uses to create Delegation Signer (DS) resource records, forDS Record Hash Algorithms, from theAvailablelist, selectSHA-1,SHA-256, or both, and move to theActivelist.
- ForNSEC3 Iterations, type the number of times to hash theNext Secure (NSEC3)names.The default is1.
- From theIndicate Authenticated when Authoritativelist, selectEnabledto set the Authenticated Data (AD) flag to true for DNSSEC zone authoritative answers.The default isDisabled.
- For thePublish CDS/CDNSKEY, selectEnabledto allow for the CDS/CDNSKEY record types to publish for a given BIG-IP DNSSEC zone.The default isDisabled.
- For theZone Signing Keysetting, assign at least one enabled zone-signing key to the zone.You can associate the same zone-signing key with multiple zones.
- For theKey Signing Keysetting, assign at least one enabled key-signing key to the zone.You can associate the same key-signing key with multiple zones.
- ClickFinished.Even if you selectedEnabledfrom theStatelist, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Now
you can upload the DS records for this zone to the organization that manages the parent zone. The
administrators of the parent zone sign the DS record with their own key and upload it to their
zone. You can find the DS records in the Configuration
utility.
Add name server objects that represent DNS servers
Obtain the IP address of the authoritative DNS server that hosts the DNS zone. Optional: Ensure that the server TSIG key is available on the BIG-IP system.
When you want to transfer a zone from an authoritative DNS server into the DNS Express engine and have DNS Express respond to DNS queries for the zone, add a name server object that represents the server that hosts the zone.
- On the Main tab, click.The Nameservers List screen opens.
- ClickCreate.The New Nameserver screen opens.
- In theNamefield, type a name for the authoritative DNS server.
- In theAddressfield, type the IP address on which the DNS server listens for DNS messages.
- Optional: From theServer Keylist, select the TSIG key that matches the TSIG key on the DNS server.The BIG-IP system uses this TSIG key to sign DNS zone transfer requests sent to the DNS server that hosts this zone, and then to verify a zone transfer returned from the DNS server.
Create a DNS zone and add a DNS Express server object to the zone.
Add name server objects that represent DNS name servers (clients)
Gather the IP addresses of the DNS name servers (clients) from which the DNS Express engine accepts zone transfer requests for a DNS zone. Optional: Ensure that the client TSIG key is available on the BIG-IP system.
To allow DNS name servers (clients) to request zone transfers for a zone, add a name server object that represents each client. Optionally, you can add a client TSIG key that the BIG-IP system uses to authenticate the identity of the client during zone transfer communications.
- On the Main tab, click.The Nameservers List screen opens.
- ClickCreate.The New Nameserver screen opens.
- In theNamefield, type a name for the DNS name server (client).
- In theAddressfield, type the IP address on which the DNS name server (client) listens for DNS messages.
- Optional: From theTSIG Keylist, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.
- ClickFinished.
- Add name server objects to represent other DNS name servers (clients).
Add the DNS name server (client) objects to the
Zone Transfer Client
list of the DNS zone on the BIG-IP system. Configure a DNS zone to answer zone transfer requests
Ensure that at least one name server object that represents a DNS name server (client) exists in the BIG-IP system configuration:
Modify a DNS zone to answer zone transfer requests from specific DNS name servers.
- On the Main tab, click.The Zone List screen opens.
- Click the name of the zone you want to modify.
- In the Zone Transfer Clients area, move the name servers that can initiate zone transfers from theAvailablelist to theActivelist.
- ClickFinished.
View DNSSEC zone statistics
You can view information about the zones that are protected by DNS
Express.
- On the Main tab, click.The Zones statistics screen opens.
- From theStatistics Typelist, selectZones.Information displays about the traffic handled by the DNSSEC zones in the list.
- In the Details column for a zone, clickView.Read the online help for an explanation of the statistics.
Troubleshooting DNSSEC on the BIG-IP system
On BIG-IP
DNS, you can view DNSSEC records in ZoneRunner™, access and view DNSSEC SEP Records, and modify generations of a DNSSEC key.