Applies To:

Show Versions Show Versions

Manual Chapter: Securing Your DNS Infrastructure
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Securing your DNS infrastructure

You can use BIG-IP Global Traffic Manager (GTM) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.

Traffic flow when BIG-IP GTM is DNSSEC authoritative                             nameserver Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised.

Task summary

Perform these tasks on BIG-IP GTM to secure your DNS infrastructure.

Creating DNSSEC key-signing keys

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters.
  4. From the Algorithm list, select the algorithm the system uses to create the key. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  5. In the Bit Width field, type 2048.
  6. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  7. From the Type list, select Key Signing Key.
  8. From the State list, select Enabled.
  9. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  10. For the Rollover Period setting, in the Days field, type 340.
  11. For the Expiration Period setting, in the Days field, type 365.
  12. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
  13. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
  14. Click Finished.
  15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zone-signing keys

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters.
  4. In the Bit Width field, type 1024.
  5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  6. From the Type list, select Zone Signing Key.
  7. From the State list, select Enabled.
  8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  9. For the Rollover Period setting, in the Days field, type 21.
  10. For the Expiration Period setting, in the Days field, type 30.
  11. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
  12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
  13. Click Finished.
  14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a FQDN that is a subset of the domain name. For example, use a zone name of example.com to handle DNSSEC requests for example.com, including *.example.com. Use a zone name of www.example.com to handle DNSSEC requests for www.example.com and *.www.example.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
  7. Click Finished.
  8. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring).

Validating that a zone is correctly signed

After you create DNSSEC zones and zone-signing keys, you can validate that your zone can be correctly signed.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type dig @<IP of BIG-IP GTM listener> +dnssec siterequest.com A correct response must include an A record for www.siterequest.com, as well as RRSIG records for the A record and the zone-signing and key-signing keys.

Specifying which GTM creates new generations of DNSSEC keys

Determine the server name of the BIG-IP GTM system that you want to designate as the creator of new generations of DNSSEC keys.
If you do not designate a specific system, any BIG-IP GTM system in the synchronization group can be automatically chosen to create new generations of DNSSEC keys.
  1. On the Main tab, click System > Configuration > Global Traffic > General. The General configuration screen opens.
  2. In the DNSSEC Key Creation Server field, type the server name of the BIG-IP GTM system that you want to designate as the creator of new generations of DNSSEC keys.
  3. Click Update.
The designated BIG-IP GTM system creates new generations of DNSSEC keys. The new generations of the keys are automatically distributed to the other systems in the synchronization group during configuration synchronization.

Implementation results

BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)