Applies To:

Show Versions Show Versions

Manual Chapter: Securing Your DNS Infrastructure
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Securing your DNS infrastructure

You can use BIG-IP Global Traffic Manager (GTM) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.

Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised.

Task summary

Perform these tasks on BIG-IP GTM to secure your DNS infrastructure.

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click Create. The new Listeners screen opens.
  3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
  4. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.

Creating DNSSEC key-signing keys

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Algorithm list, select the algorithm the system uses to create the key. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  5. In the Bit Width field, type 2048.
  6. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  7. From the Type list, select Key Signing Key.
  8. From the State list, select Enabled.
  9. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  10. For the Rollover Period setting, in the Days field, type 340.
  11. For the Expiration Period setting, in the Days field, type 365.
  12. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
  13. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
  14. Click Finished.
  15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zone-signing keys

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. In the Bit Width field, type 1024.
  5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  6. From the Type list, select Zone Signing Key.
  7. From the State list, select Enabled.
  8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  9. For the Rollover Period setting, in the Days field, type 21.
  10. For the Expiration Period setting, in the Days field, type 30.
  11. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
  12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
  13. Click Finished.
  14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a second-level domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
  7. Click Finished.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone.You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring).

Confirm that GTM is signing the DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records..
  1. Log on to the command-line interface of a client.
  2. At the prompt, type dig @<IP address of GTM listener> +dnssec siterequest.com GTM returns the signed RRSIG records for the zone.

Implementation result

BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)