In this figure, an administrator at Site Request creates a DNS zone on the BIG-IP system that is a proxy for the zone on the authoritative DNS server that hosts the zone. The name of the DNS zone on the BIG-IP system matches the name of the zone on the authoritative DNS server. The administrator uses TSIG key authenthication to verify the zone transfer communications between the BIG-IP system and the DNS nameserver (client) making the zone transfer request.

BIG-IP system acting as DNS zone proxy with client-side TSIG authentication

1. DNS nameserver (client) sends TSIG-signed zone transfer request for a DNS zone.
2. BIG-IP system validates the signature and removes the client TSIG key.
3. BIG-IP system sends the unsigned request to the DNS server that hosts the zone.
4. DNS server answers with an unsigned zone transfer to the BIG-IP system.
5. BIG-IP system adds the client TSIG key to the response.
6. BIG-IP system sends a TSIG-signed zone transfer to the DNS nameserver that made the request.

In this figure, an administrator at Site Request creates a DNS zone on the BIG-IP system that is a proxy for the zone on the authoritative DNS server that hosts the zone. The name of the DNS zone on the BIG-IP system matches the name of the zone on the authoritative DNS server. The administrator uses TSIG key authenthication to verify the zone transfer communications between the BIG-IP system and the authoritative DNS server and between the BIG-IP system and the client making a zone transfer request.

BIG-IP system acting as DNS zone proxy with client and server-side TSIG authentication

1. DNS nameserver (client) sends TSIG-signed zone transfer request for a DNS zone.
2. BIG-IP system validates the signature, removes the client TSIG key from the request, and adds the server TSIG key to the request.
3. BIG-IP system sends the TSIG-signed request to the DNS server that hosts the zone.
4. DNS server answers with a TSIG-signed zone transfer to the BIG-IP system.
5. BIG-IP system validates the signature, removes the server TSIG key from the response, and adds the client TSIG key to the response.
6. BIG-IP system sends the TSIG-signed zone transfer to the DNS nameserver that made the request.

The BIG-IP^® system can use transaction signature (TSIG) keys to authenticate communications about zone transfers between the BIG-IP system and authoritative DNS servers, and between the BIG-IP system and DNS nameservers (clients). TSIG keys are generated by a third party tool such as BIND's keygen utility. Using TSIG keys is optional.

TSIG key configured on authoritative DNS server

You can add a TSIG key to a nameserver object that represents an authoritative DNS server. With this configuration, when the DNS server sends a NOTIFY message to the BIG-IP system, DNS Express™ responds with a TSIG-signed zone transfer request. Then the DNS server returns a TSIG-signed zone transfer. If required, you can disable the Verify Notify TSIG option on the DNS zone. With this configuration, DNS Express can process a NOTIFY message without a TSIG key, even when a subsequent zone transfer requires a TSIG key.

TSIG key configured on DNS nameserver (client)

You can add a TSIG key to a nameserver object that represents a DNS nameserver (client). When the client sends a TSIG-signed zone transfer request, DNS Express returns a TSIG-signed zone transfer.

TSIG key configured on DNS zone

You can add a server TSIG key to a DNS zone on the BIG-IP system. With this configuration, the system uses this TSIG key when the zone on the BIG-IP system is a proxy for the zone on the server. There are two possible scenarios:

• Client sends TSIG-signed zone transfer request

  When the BIG-IP system receives a TSIG-signed zone transfer request from a client for a DNS zone for which it is a proxy, the system validates the client TSIG key and removes the key from the request. The system then adds the server TSIG key to the request and forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system adds the client TSIG key and returns a TSIG-signed signed zone transfer to the client.

• Client sends unsigned zone transfer request

  When the BIG-IP system receives an unsigned zone transfer request from a client for a DNS zone for which it is a proxy, the system adds the server TSIG key to the request. The system then forwards the TSIG-signed request to the DNS server or load balances the TSIG-signed request to a pool of DNS servers. The DNS server responds with a TSIG-signed zone transfer. The BIG-IP system validates the server TSIG key and removes the key. Then the system returns an unsigned zone transfer to the client.

A listener is a specialized virtual server that passively checks for DNS packets on port 53 and the IP address you assign to the listener. When a DNS request is sent to the IP address of the listener, the BIG-IP^® system either handles the request or forwards the request to the appropriate resource.

1. On the Main tab, click DNS > Delivery > Keys > TSIG Key List .
   The TSIG Key List screen opens.
2. Click Create.
   The New TSIG Key screen opens.
3. In the Name field, type the name of the TSIG key.
4. From the Algorithm list, select the algorithm that was used to generate the key.
5. In the Secret field, type the TSIG key secret.
6. Click Finished.
7. Create additional TSIG keys, as needed.

1. On the Main tab, click DNS > Delivery > Nameservers .
   The Nameservers List screen opens.
2. Click Create.
   The New Nameserver screen opens.
3. In the Name field, type a name for the DNS nameserver (client).
4. In the Address field, type the IP address on which the DNS nameserver (client) listens for DNS messages.
5. Optional: From the TSIG Key list, select the TSIG key that matches the TSIG key on the DNS nameserver (client).
   The BIG-IP system uses this TSIG key to authenticate zone transfer communications as coming from this client and to sign communications sent to this client.
6. Click Finished.
7. Add nameserver objects to represent other DNS nameservers (clients).

1. On the Main tab, click DNS > Delivery > Profiles > DNS or Local Traffic > Profiles > Services > DNS .
   The DNS profile list screen opens.
2. Click Create.
   The New DNS Profile screen opens.
3. In the General Properties area, name the profile dns_zxfr.
4. Select the Custom check box.
5. In the DNS Features area, from the DNS Express list, select Disabled.
6. In the DNS Traffic area, from the Zone Transfer list, select Enabled.
7. In the DNS Features area, from the Unhandled Query Actions list, select Allow.
   The BIG-IP system forwards zone transfer requests to a DNS server or a member of a pool of DNS servers.
8. In the DNS Features area, from the Use BIND Server on BIG-IP list, select Disabled.
9. Click Finished.

1. On the Main tab, click DNS > Zones .
   The Zone List screen opens.
2. Click Create.
   The New Zone screen opens.
3. In the Name field, type the name of the DNS zone.
   The name must begin and end with a letter and contain only letters, numbers, and the period and hyphen (-) characters.
4. In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from the Available list to the Active list.
5. Optional: From the Server Key list, select the TSIG key that matches the TSIG key on the DNS server.
   The BIG-IP system uses this TSIG key to sign DNS zone transfer requests, before forwarding the requests to the DNS server that hosts this zone, and then to verify a zone transfer returned from the DNS server.
6. Click Finished.