Manual Chapter : Configuring DNSSEC

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 13.0.1, 13.0.0

BIG-IP DNS

  • 13.0.1, 13.0.0
Manual Chapter

Introducing DNSSEC

About DNSSEC

Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. BIG-IP® DNS uses DNSSEC to guarantee the authenticity of DNS responses, including zone transfers, and to return Denial of Existence responses thus protecting your network against DNS protocol and DNS server attacks.

About DNSSEC keys

BIG-IP® DNS, formerly Global Traffic Manager™ (GTM™), uses two types of DNSSEC keys to return DNSSEC-compliant responses: a zone-signing key to sign all of the records in a DNSSEC resource record set, and a key-signing key to sign only the DNSKEY record (that is the zone-signing key) of a DNSSEC record set.

About enhancing DNSSEC key security

To enhance DNSSEC key security, when automatic key management is configured, BIG-IP® DNS uses an automatic key rollover process that uses overlapping generations of a key to ensure that BIG-IP DNS can always respond to queries with DNSSEC-compliant responses. BIG-IP DNS dynamically creates new generations of each key based on the values of the Rollover Period and Expiration Period of the key.

The first generation of a key has an ID of 0 (zero). Each time BIG-IP DNS dynamically creates a new generation of a key, the ID increments by one. Over time, each generation of a key overlaps the previous generation of the key ensuring that BIG-IP DNS can respond to a DNSSEC query even if one generation of a key becomes unavailable. When a generation of a key expires, BIG-IP DNS automatically removes that generation of the key from the configuration. The value of the TTL (time-to-live) of a key specifies how long a client resolver can cache the key.

Overlapping generations of a key

Overlapping generations of a key

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. When you associate both pairs of keys with the same zone, you can easily perform a manual rollover of the keys, should an enabled key become compromised.

About SEP records and DNSSEC

Each DNSSEC zone has a list of read-only Security Entry Point (SEP) records. The BIG-IP® DNS creates these records automatically when you create a zone. These SEP records consist of Delegation Signer (DS) and DNSKEY records.

Obtaining a trust or DLV anchor

Determine the signed zones from which you want to obtain a trust or DLV anchor.
If you want the BIG-IP® system to cache a validated response for the signed zones, you need to obtain a trust or DLV anchor.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click the name of the DNSSEC zone for which you want to view or copy SEP records.
  3. On the menu bar, click SEP Records.
    The SEP records display for each generation of a key. If the SEP record screen is unexpectedly blank, ensure that at least one data center and a server representing the BIG-IP DNS device exist in the BIG-IP system configuration.
  4. Copy the trust or DLV anchor from the DNSKEY Record field.

About configuring DNSSEC

You can use BIG-IP® DNS to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.

Traffic flow when BIG-IP DNS is the DNSSEC authoritative nameserver

Traffic flow when BIG-IP DNS is the DNSSEC authoritative nameserver

About configuring basic DNSSEC

You can secure the DNS traffic handled by BIG-IP® DNS using the DNSSEC protocol.

Important: Before you configure DNSSEC, ensure that at least one data center and a server representing the BIG-IP DNS device exist in the BIG-IP system configuration.

Task summary

Perform these tasks to configure DNSSEC on BIG-IP DNS.

Creating listeners to identify DNS traffic

Create listeners to identify the DNS traffic that BIG-IP® DNS handles. The best practice is to create four listeners: one with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
Note: DNS zone transfers use TCP port 53. If you do not configure listeners for TCP the client might receive the error: connection refused or TCP RSTs.
If you have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click Create.
    The Listeners properties screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, in the Address field, type an IPv4 address on which BIG-IP DNS listens for network traffic.
  5. In the Service area, from the Protocol list, select UDP.
  6. Click Finished.
Create another listener with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Creating automatically managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create automatically-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30.
    Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create manually-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in these steps are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365.
    Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC key-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating a DNSSEC zone

Before you configure DNSSEC, ensure that at least one data center and a server object representing the BIG-IP® device exist in the BIG-IP system configuration.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Before the BIG-IP system can sign DNS requests (including zone transfer requests) for a zone using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click Create.
    The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name.
    For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.siterequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
    You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
    You can associate the same key-signing key with multiple zones.
  7. Click Finished.
    Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that BIG-IP DNS is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP® DNS is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>
    BIG-IP DNS returns the signed RRSIG records for the zone.

About configuring DNSSEC with an external HSM

You can configure BIG-IP® DNS to use the DNSSEC protocol to secure the DNS traffic handled by BIG-IP DNS in conjunction with an external HSM system.

Important: Before you configure DNSSEC, ensure that at least one data center and a server object representing the BIG-IP DNS device exist in the BIG-IP system configuration.

Task summary

Perform these tasks to configure DNSSEC on BIG-IP DNS.

Creating listeners to identify DNS traffic

Create listeners to identify the DNS traffic that BIG-IP® DNS handles. The best practice is to create four listeners: one with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
Note: DNS zone transfers use TCP port 53. If you do not configure listeners for TCP the client might receive the error: connection refused or TCP RSTs.
If you have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click Create.
    The Listeners properties screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, in the Address field, type an IPv4 address on which BIG-IP DNS listens for network traffic.
  5. In the Service area, from the Protocol list, select UDP.
  6. Click Finished.
Create another listener with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Creating automatically managed DNSSEC zone-signing keys for use with an external HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: Only Thales HSM supports automatic key creation. The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    Note: Only Thales HSM supports automatic key creation.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30.
    Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys for use with an external HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys for use with an external HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365.
    Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC key-signing keys for use with an external HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating a DNSSEC zone

Before you configure DNSSEC, ensure that at least one data center and a server object representing the BIG-IP® device exist in the BIG-IP system configuration.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Before the BIG-IP system can sign DNS requests (including zone transfer requests) for a zone using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click Create.
    The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name.
    For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.siterequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
    You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
    You can associate the same key-signing key with multiple zones.
  7. Click Finished.
    Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that BIG-IP DNS is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP® DNS is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>
    BIG-IP DNS returns the signed RRSIG records for the zone.

Configuring DNSSEC with an internal HSM

You can configure BIG-IP® DNS to use the DNSSEC protocol to secure the DNS traffic handled by BIG-IP DNS in conjunction with an internal HSM system.

Important: Before you configure DNSSEC, ensure that at least one data center and a server representing the BIG-IP DNS device exist in the BIG-IP system configuration.

Task summary

Perform these tasks to configure DNSSEC on BIG-IP DNS.

Creating listeners to identify DNS traffic

Create listeners to identify the DNS traffic that BIG-IP® DNS handles. The best practice is to create four listeners: one with an IPv4 address that handles UDP traffic, and one with the same IPv4 address that handles TCP traffic; one with an IPv6 address that handles UDP traffic, and one with the same IPv6 address that handles TCP traffic.
Note: DNS zone transfers use TCP port 53. If you do not configure listeners for TCP the client might receive the error: connection refused or TCP RSTs.
If you have multiple BIG-IP DNS systems in a device group, perform these steps on only one system.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click Create.
    The Listeners properties screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, in the Address field, type an IPv4 address on which BIG-IP DNS listens for network traffic.
  5. In the Service area, from the Protocol list, select UDP.
  6. Click Finished.
Create another listener with the same IPv4 address and configuration, but select TCP from the Protocol list. Then, create two more listeners, configuring both with the same IPv6 address, but one with the UDP protocol and one with the TCP protocol.

Creating automatically managed DNSSEC zone-signing keys for use with an internal HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process in conjunction with an internal HSM.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select Internal, if you use a FIPs internal HSM card.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30.
    Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys for use with an internal HSM

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process in conjunction with an internal HSM.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select Internal, if you use a FIPs internal HSM card.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365.
    Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating a DNSSEC zone

Before you configure DNSSEC, ensure that at least one data center and a server object representing the BIG-IP® device exist in the BIG-IP system configuration.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Before the BIG-IP system can sign DNS requests (including zone transfer requests) for a zone using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click Create.
    The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name.
    For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.siterequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
    You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
    You can associate the same key-signing key with multiple zones.
  7. Click Finished.
    Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that BIG-IP DNS is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that BIG-IP® DNS is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of BIG-IP DNS listener> +dnssec <name of zone>
    BIG-IP DNS returns the signed RRSIG records for the zone.

About DNSSEC signing of zone transfers

You can configure the BIG-IP® system to sign zone transfers using DNSSEC keys. With this configuration, the DNS nameservers (clients) requesting zone transfers can serve DNSSEC-signed responses to DNS queries.

The BIG-IP system manages the DNSSEC keys and signs the zone transfers even when external HSMs or FIPS cards are used in the configuration. With this configuration, the BIG-IP system must contain a DNSSEC zone with DNSSEC keys and a DNS zone with a list of DNS nameservers (clients) that can request zone transfers for the zone.

Important: The DNSSEC feature is available only when a BIG-IP system is licensed for BIG-IP DNS (formerly GTM™).

Example of DNS Express signing zone transfers with DNSSEC keys

In this figure, a zone is hosted on an authoritative DNS server, that is not secured with DNSSEC keys. An administrator at Site Request creates a DNS zone with a DNS Express™ server and a DNSSEC zone with DNSSEC keys. The name of both zones on the BIG-IP system match the name of the zone on the authoritative DNS server. The creation of the DNS zone initiates an unsigned zone transfer request from DNS Express to the authoritative DNS server that hosts the zone. The server responds with an unsigned zone transfer and the zone is loaded into DNS Express as an unsigned zone.

Unsigned DNS zone transfer to DNS Express

  1. Creation of DNS zone with DNS Express server initiates unsolicited zone transfer request from DNS Express to authoritative DNS server.
  2. DNS server responds with unsigned zone transfer to DNS Express, which loads the zone, and stores it as an unsigned zone.

In this figure, when the zone is updated, the zone transfer from the server to DNS Express is unsigned. The zone is stored in DNS Express as an unsigned zone. However, when the BIG-IP system receives a zone transfer request, the system signs the zone transfer using DNSSEC keys and sends the signed zone transfer to a DNS nameserver (client).

BIG-IP responds to zone transfer request with DNSSEC-signed response

  1. When a zone update occurs, DNS server sends NOTIFY message to DNS Express.
  2. DNS Express sends zone transfer request to DNS server.
  3. DNS server responds with zone transfer to DNS Express
  4. DNS Express stores unsigned zone.
  5. DNS Express sends NOTIFY to DNS nameserver client.
  6. Client sends zone transfer request to DNS Express.
  7. DNS Express responds with DNSSEC-signed zone transfer.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.

Example of DNS zone proxy with DNSSEC

In this figure, a zone is hosted on an authoritative DNS server, that is not secured with DNSSEC. The BIG-IP® system is configured with both a DNS zone and a DNSSEC zone that match the zone name on the server. The system can forward zone transfer requests to the DNS server, and then sign the response with DNSSEC keys, before sending the response to the client (authoritative DNS nameservers (clients) and cloud providers). This allows the clients and cloud providers to serve DNSSEC-signed DNS queries and responses.

BIG-IP system configured with DNS zone proxy and DNSSEC zone

The BIG-IP system configured with DNS zone proxy and DNSSEC zone

  1. DNS nameserver (client) sends zone transfer request for a DNS zone.
  2. The BIG-IP system forwards the request to the authoritative DNS server.
  3. DNS server answers with zone transfer.
  4. The BIG-IP system signs the zone transfer with DNSSEC keys.
  5. The BIG-IP system sends the DNSSEC-signed zone transfer to the client that made the request.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.

Example of BIG-IP load balancing zone transfer request to pool of DNS servers and returning DNSSEC-signed zone transfer

In this figure, a zone is hosted on a pool of authoritative DNS servers. The servers are not secured with DNSSEC. The BIG-IP® system is configured with both a DNS zone and a DNSSEC zone that match the zone name on the servers. The BIG-IP system can forward zone transfer requests to a pool member, and then sign the response with DNSSEC keys, before sending the DNSSEC-signed zone transfer to the client (authoritative DNS nameserver or cloud provider). This allows the clients and cloud providers to serve DNSSEC-signed DNS queries and responses.

BIG-IP load balancing zone transfer request to pool member and returning DNSSEC-signed zone      transfer

BIG-IP load balancing zone transfer request to pool member and returning DNSSEC-signed zone transfer

  1. DNS nameserver (client) or cloud provider sends zone transfer request for a DNS zone.
  2. BIG-IP forwards the request to a member of the pool of authoritative DNS servers that host the zone.
  3. The pool member responds with a zone transfer.
  4. BIG-IP signs the zone transfer with DNSSEC keys.
  5. BIG-IP sends the DNSSEC-signed zone transfer to the client that made the request.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.

Task summary

To configure the BIG-IP® system to sign zone transfers using DNSSEC keys, perform these tasks:

Enabling BIG-IP to respond to zone transfer requests

To enable the BIG-IP® system to sign zone transfers, create a custom DNS profile, and then assign the profile to a listener.
  1. On the Main tab, click DNS > Delivery > Profiles > DNS .
    The DNS profile list screen opens.
  2. Click Create.
    The New DNS Profile screen opens.
  3. In the Name field, type a unique name for the profile.
  4. Select the Custom check box.
  5. In the DNS Traffic area, from the Zone Transfer list, select Enabled.
  6. In the DNS Features area, from the Use BIND Server on BIG-IP list, select Disabled.
  7. Click Finished.
Assign the profile to a listener.
Important: DNS zone transfers use TCP port 53. Ensure that you use at least one listener configured for TCP.

Enabling a DNS listener to process DNSSEC traffic

Ensure that a custom DNS profile is present in the configuration with Zone Transfer enabled and Use BIND server on BIG-IP disabled.
When you implement DNSSEC zone transfer signing, you must modify the listeners that identify the DNSSEC traffic that the BIG-IP system handles by adding a custom DNS profile enabled for DNSSEC and zone transfers. If you created four listeners to handle your IPv4 and IPv6, UDP and TCP traffic, add the custom DNS profile to all four listeners.
Important: DNS zone transfers use TCP port 53. Ensure that you use at least one listener configured for TCP.
Note: If you have multiple BIG-IP DNS systems in a device group, perform this procedure on only one BIG-IP DNS system.
  1. On the Main tab, click DNS > Delivery > Listeners .
    The Listeners List screen opens.
  2. Click the name of the listener you want to modify.
  3. In the Service area, from the DNS Profile list, select the custom DNS profile with Zone Transfer enabled, and Use BIND server on BIG-IP disabled.
  4. Click Finished.
  5. Perform steps 2 - 4 to modify each of the other listeners.

Creating automatically managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create automatically-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30.
    Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create manually-managed zone-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in these steps are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic.
    The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
    This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365.
    Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days.
    This value must be greater than the value of the signature publication period.
    Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours.
    This value must be less than the value of the signature validity period.
    Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC key-signing keys

Ensure that the time setting on BIG-IP® DNS is synchronized with the NTP servers on your network. This ensures that each BIG-IP DNS in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create key-signing keys for BIG-IP DNS to use in the DNSSEC authentication process.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click Create.
    The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key.
    Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual.
    The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating a DNSSEC zone

Before you configure DNSSEC, ensure that at least one data center and a server object representing the BIG-IP® device exist in the BIG-IP system configuration.
Important: The DNSSEC feature is available only when the BIG-IP system is licensed for BIG-IP DNS.
Before the BIG-IP system can sign DNS requests (including zone transfer requests) for a zone using DNSSEC keys, you must create a DNSSEC zone on the system and assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click Create.
    The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name.
    For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.siterequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
    You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
    You can associate the same key-signing key with multiple zones.
  7. Click Finished.
    Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Adding nameserver objects that represent DNS servers

Obtain the IP address of the authoritative DNS server that hosts the DNS zone. Optional: Ensure that the server TSIG key is available on the BIG-IP system.
When you want to transfer a zone from an authoritative DNS server into the DNS Express® engine and have DNS Express respond to DNS queries for the zone, add a nameserver object that represents the server that hosts the zone.
  1. On the Main tab, click DNS > Delivery > Nameservers .
    The Nameservers List screen opens.
  2. Click Create.
    The New Nameserver screen opens.
  3. In the Name field, type a name for the authoritative DNS server.
  4. In the Address field, type the IP address on which the DNS server listens for DNS messages.
  5. Optional: From the Server Key list, select the TSIG key that matches the TSIG key on the DNS server.
    The BIG-IP system uses this TSIG key to sign DNS zone transfer requests sent to the DNS server that hosts this zone, and then to verify a zone transfer returned from the DNS server.
Create a DNS zone and add a DNS Express server object to the zone.

Adding nameserver objects that represent DNS nameservers (clients)

Gather the IP addresses of the DNS nameservers (clients) from which the DNS Express™ engine accepts zone transfer requests for a DNS zone. Optional: Ensure that the client TSIG key is available on the BIG-IP system.
To allow DNS nameservers (clients) to request zone transfers for a zone, add a nameserver object that represents each client. Optionally, you can add a client TSIG key that the BIG-IP system uses to authenticate the identity of the client during zone transfer communications.
  1. On the Main tab, click DNS > Delivery > Nameservers .
    The Nameservers List screen opens.
  2. Click Create.
    The New Nameserver screen opens.
  3. In the Name field, type a name for the DNS nameserver (client).
  4. In the Address field, type the IP address on which the DNS nameserver (client) listens for DNS messages.
  5. Optional: From the TSIG Key list, select the TSIG key you want the BIG-IP system to use to validate zone transfer traffic.
  6. Click Finished.
  7. Add nameserver objects to represent other DNS nameservers (clients).
Add the DNS nameservers (clients) objects to the Zone Transfer Client list of the DNS zone on the BIG-IP system.

Configuring a DNS zone to answer zone transfer requests

Ensure that at least one nameserver object that represents a DNS nameserver (client) exists in the BIG-IP® system configuration:
Modify a DNS zone to answer zone transfer requests from specific DNS nameservers (clients).
  1. On the Main tab, click DNS > Zones .
    The Zone List screen opens.
  2. Click the name of the zone you want to modify.
  3. In the Zone Transfer Clients area, move the nameservers that can initiate zone transfers from the Available list to the Active list.
  4. Click Finished.

Viewing DNSSEC zone statistics

You can view information about the zones that are protected by DNS Express™.

  1. On the Main tab, click Statistics > Module Statistics > DNS > Zones .
    The Zones statistics screen opens.
  2. From the Statistics Type list, select Zones.
    Information displays about the traffic handled by the DNSSEC zones in the list.
  3. In the Details column for a zone, click View.
    Read the online help for an explanation of the statistics.

Troubleshooting DNSSEC on the BIG-IP system

On BIG-IP® DNS, you can view DNSSEC records in ZoneRunner™, access and view DNSSEC SEP Records, and modify generations of a DNSSEC key.

Task summary

When you want to troubleshoot the DNSSEC configuration on BIG-IP DNS, perform these tasks.

Accessing DNSSEC SEP records

Ensure that the BIG-IP system contains at least one DNSSEC zone.
Access the SEP records associated with a DNSSEC zone, when you want to copy the DS or DNSKEY records for the zone.
  1. On the Main tab, click DNS > Zones > DNSSEC Zones .
    The DNSSEC Zone List screen opens.
  2. Click the name of the DNSSEC zone for which you want to view or copy SEP records.
  3. On the menu bar, click SEP Records.
    The SEP records display for each generation of a key. If the SEP record screen is unexpectedly blank, ensure that at least one data center and a server representing the BIG-IP DNS device exist in the BIG-IP system configuration.
  4. From the Generation list, select a generation of the key-signing key.
    The DS Record and DNSKEY Record fields display read-only Security Entry Point (SEP) records, specifically the DS (Delegation Signer) and DNSKey records.

Modifying generations of a DNSSEC key

Modify a generation of a DNSSEC key, when you want to perform an emergency rollover of a compromised key for which you do not have a standby key.
  1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List .
    The DNSSEC Key List screen opens.
  2. Click a number in the Generations column.
    Information about this generation of the key displays.
    Column Title Contains
    ID Generation number of the key
    Key Tag Identifier (hash) of this generation of the key
    Creator Host name of BIG-IP DNS that created this generation of the key
    Rollover Time Time this generation of the key will roll over
    Expiration Time Time this generation of the key will expire
  3. Click the number in the ID column.
    The general properties of the generation of the key display.
  4. Select Specify from the Rollover Time list, and then select the exact time that you want the BIG-IP system to create and begin to use a new generation of this key.
    Modifying this setting does not affect the value of the rollover and expiration periods of the key.
  5. Select Specify from the Expiration Time list, and then select the exact time that you want this generation of the key to expire.
    Modifying this setting does not affect the value of the rollover and expiration periods of the key.
  6. Click Update.