Applies To:

Show Versions Show Versions

Manual Chapter: Configuring DNSSEC
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring DNSSEC

You can use BIG-IP Global Traffic Manager (GTM) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.

Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised.

About enhancing DNSSEC key security

To enhance DNSSEC key security, BIG-IP Global Traffic Manager (GTM) uses an automatic key rollover process that uses overlapping generations of a key to ensure that BIG-IP GTM can always respond to queries with DNSSEC-compliant responses. BIG-IP GTM dynamically creates new generations of each key based on the values of the Rollover Period and Expiration Period of the key.

The first generation of a key has an ID of 0 (zero). Each time BIG-IP GTM dynamically creates a new generation of a key, the ID increments by one. Over time, each generation of a key overlaps the previous generation of the key. When a generation of a key expires, BIG-IP GTM automatically removes that generation of the key from the configuration. The value of the TTL (time-to-live) of a key specifies how long a client resolver can cache the key.

Overlapping generations of a key Overlapping generations of a key

Task summary

Perform these tasks on BIG-IP GTM to secure your DNS infrastructure.

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click Create. The new Listeners screen opens.
  3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
  4. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.

Creating DNSSEC key-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Algorithm list, select the algorithm the system uses to create the key. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  5. In the Bit Width field, type 2048.
  6. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  7. From the Type list, select Key Signing Key.
  8. From the State list, select Enabled.
  9. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  10. For the Rollover Period setting, in the Days field, type 340.
  11. For the Expiration Period setting, in the Days field, type 365. Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  12. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  13. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  14. Click Finished.
  15. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zone-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. In the Bit Width field, type 1024.
  5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
  6. From the Type list, select Zone Signing Key.
  7. From the State list, select Enabled.
  8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  9. For the Rollover Period setting, in the Days field, type 21.
  10. For the Expiration Period setting, in the Days field, type 30. Zero seconds indicates not set, and thus the key does not expire.
  11. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  13. Click Finished.
  14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. You can associate the same key-signing key with multiple zones.
  7. Click Finished. Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
  8. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring).
  9. Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring).
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the file /config/gtm/dsset-[dnssec.zone.name] (where zone is the name of the zone you are configuring).

Confirming that GTM is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of GTM listener> +dnssec siterequest.com GTM returns the signed RRSIG records for the zone.

Viewing DNSSEC records in ZoneRunner

Ensure that all DNSSEC records are added to the BIND configuration.
View the DNSSEC records using ZoneRunner.
  1. On the Main tab, click Global Traffic > ZoneRunner > Resource Record List. The Resource Record List screen opens.
  2. From the View Name list, select the name of the view that contains the resource records you want to view.
  3. From the Zone Name list, select the zone for which you want to view resource records.
  4. From the Type list, select the type of resource records you want to view.
  5. Click Search.
View the resource records that display.

Implementation result

BIG-IP GTM is now configured to respond to DNS queries with DNSSEC-compliant responses.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)