The Domain Name System Security Extensions (DNSSEC
) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. The BIG-IP®
Global Traffic Manager uses DNSSEC to guarantee the authenticity of DNS responses to queries and to return Denial of Existence responses.
You can use the DNSSEC feature of Global Traffic Manager to protect your
network infrastructure from DNS protocol and DNS server attacks such as spoofing, ID hacking, cache poisoning, and denial of service.
Global Traffic Manager responds to DNS requests to a specific zone by
returning signed nameserver responses based on the currently available generations of a key. Before you can configure Global Traffic Manager to handle nameserver responses that are DNSSEC-compliant, you must create DNSSEC keys and zones.
There are two kinds of DNSSEC keys: zone-signing keys and key-signing
keys. Global Traffic Manager uses a zone-signing key
to sign all of the records in a DNSSEC record set, and a key-signing key
to sign only the DNSKEY record of a DNSSEC record set.
F5 Networks recommends that for emergency rollover purposes, when you
create a key, you create a duplicate version of the key with a similar name, but do not enable that version. For example, create a key-signing key called ksk1a
that is enabled. Then create a duplicate key, but name it ksk1b,
and change the state to disabled. When you associate both of these keys with the same zone, you are prepared to easily perform a manual rollover of the key, if necessary.
In order for Global Traffic Manager to use the keys that you create to sign
requests, you must assign the keys to a zone. DNSSEC zones
are containers that map a domain name to a set of DNSSEC keys that the system uses to sign DNSSEC-compliant nameserver responses to DNS queries.
When you create a DNSSEC zone, you must assign at least one enabled
zone-signing and one enabled key-signing key to the zone before the Global Traffic Manager can sign requests to that zone.
Additionally, after you create a DNSSEC zone, you must submit the DS
record for the zone to the administrators of your parent zone, who sign the DS record with their own key and upload it to their zone. You can find the DS record for your zone in /config/gtm/dsset-<dnssec.zone.name>
To enhance key security, the BIG-IP®
system has an automatic key rollover feature that uses overlapping generations of a key to ensure that the system can always respond to requests with a signature. The system dynamically creates new generations of each key based on the values of the Rollover Period
and Expiration Period
settings of the key. The first generation of a key has an ID of 0
(zero). Each time the system dynamically creates a new generation of the key, the ID increments by 1. When a generation of a key expires, the system automatically removes that generation of the key from the configuration.
illustrates this, and shows how over time each generation of a key overlaps the previous generation of the key.
The value that you assign to the TTL
(time-to-live) setting for a key specifies how long a client resolver can cache the key. As shown in Figure 10.1
, the value you assign to the TTL
setting of the key must be less than the difference between the values of the Rollover Period
and Expiration Period
settings of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
Each time a new generation of a key-signing key is created, you must
provide the updated DS record to the administrators of the parent zone. For example, in Figure 10.1, the value of the Rollover Period
of the key is 30
days, and the value of the Expiration Period
of the key is 37
days. In the case of a key-signing key, a new generation of the key is created every 30 days, and you have seven days before the old generation of the key expires to provide the new DS record to the administrators of the parent zone. These administrators sign the new DS record with their own key and upload it their zone.
There are numerous ways to provide the new DS record to the
administrators of the parent zone, including secure FTP or use of a secure web site for this purpose. Provide the new DS record to the administrators of the parent zone according to your company policy.
Your configuration of BIND is independent of the configuration of
DNSSEC on Global Traffic Manager. If you want to use BIND for delegation or other tasks, you must add the DNSSEC resource records to your BIND configuration; otherwise, BIND is not aware of these records. If you do this, you can view the DNSSEC resource records in Zone Runner.