Applies To:

Show Versions Show Versions

Manual Chapter: Working with DNSSEC Keys and Zones
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

10 
The Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. The BIG-IP® Global Traffic Manager uses DNSSEC to guarantee the authenticity of DNS responses to queries and to return Denial of Existence responses.
You can use the DNSSEC feature of the Global Traffic Manager to protect your network infrastructure from DNS protocol and DNS server attacks such as spoofing, ID hacking, cache poisoning, and denial of service.
The Global Traffic Manager responds to DNS requests to a specific zone by returning signed nameserver responses based on the currently available generations of a key. Before you can configure the Global Traffic Manager to handle nameserver responses that are DNSSEC-compliant, you must create DNSSEC keys and zones.
There are two kinds of DNSSEC keys: zone-signing keys and key-signing keys. The Global Traffic Manager uses a zone-signing key to sign all of the records in a DNSSEC record set, and a key-signing key to sign only the DNSKEY record in a DNSSEC record set.
DNSSEC zones are containers that map a domain name to a set of keys. You can create a DNSSEC zone, but before the Global Traffic Manager can sign requests to that zone, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
Additionally, after you create a DNSSEC zone, you must submit the DS record for the zone to the administrators of your parent zone, who sign the DS record with their own key and upload it to their zone. You can find the DS record for your zone in /config/gtm/dsset-<dnssec.zone.name>.
To enhance key security, the BIG-IP® system has an automatic key rollover feature that uses overlapping generations of a key to ensure that the system can always respond to requests with a signature. The system dynamically creates new generations of each key based on the values of the Rollover Period and Expiration Period settings of the key. The first generation of a key has an ID of 0 (zero). Each time the system dynamically creates a new generation of the key, the ID increments by 1. Once the expiration time of a generation of a key is reached, the system automatically removes that generation of the key from the configuration and updates the DS record for the zone.
Figure 10.1 illustrates this, and shows how over time each generation of a key overlaps the previous generation of the key.
The value that you assign to the TTL (time-to-live) setting for a key specifies how long a client resolver can cache the key. As shown in Figure 10.1, the value you assign to the TTL setting of the key must be less than the difference between the values of the Rollover Period and Expiration Period settings of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
Important: To ensure that each Global Traffic Manager system is referencing the same time when generating keys, you must synchronize the time setting on each system with the Network Time Protocol (NTP) servers that the Global Traffic Manager references. For information, see Defining NTP servers, on page 3-10.
Each time a new generation of a key-signing key is created, you must provide the updated DS record to the administrators of the parent zone. For example, in Figure 10.1, the value of the Rollover Period of the key is 30 days, and the value of the Expiration Period of the key is 37 days. In the case of a key-signing key, a new generation of the key is created every 30 days, and you have seven days before the old generation of the key expires to provide the new DS record to the administrators of the parent zone. These administrators sign the new DS record with their own key and upload it their zone.
There are numerous ways to provide the new DS record to the administrators of the parent zone, including secure FTP or use of a secure web site for this purpose. Provide the new DS record to the administrators of the parent zone according to your company policy.
F5 Networks recommends that for emergency rollover purposes, when you create a key, you create a duplicate version of the key with a similar name, but do not enable that version. For example, create a key-signing key called ksk1a that is enabled. Then create a duplicate key, but name it ksk1b, and change the state to disabled. When you associate both of these keys with the same zone, you are prepared to easily perform a manual rollover of the key, if necessary. For more information about emergency rollover, see Performing a manual rollover of a key.
Note: Only users with Administrator or Resource Administrator roles can create, modify, and delete DNSSEC keys.
In order for the Global Traffic Manager to use the keys that you create to sign requests, you must assign the keys to a zone. For more information, see Creating DNSSEC zones.
You must create at least one zone-signing and one key-signing key, and assign both keys to a zone before the Global Traffic Manager can sign requests using the keys. For more information about DNSSEC zones, see Managing DNSSEC zones.
2.
Click DNSSEC Key List.
3.
Click Create.
5.
Click Finished.
The allowed values are determined by your hardware platform or the FIPS hardware security module (HSM), if your system contains one. These three options are valid: 1024 and 2048
If your system contains a FIPS HSM on which you store the DNSSEC keys to protect the keys from physical and software attacks, select Enabled.
Note: If your system does not contain a FIPS HSM, and you set this option to Enabled, the system automatically resets the value to Disabled.
Select Enabled when you are creating a key-signing or zone-signing key that you plan to associate with a zone as an active key.
Important: You can assign both enabled and disabled key-signing and zone-signing keys to a zone; however, the system uses only enabled keys to sign requests.
Type the number of seconds that client resolvers can cache the key.
0 seconds indicates that the key is not cached by client resolvers.
Rollover Period
Type the number of seconds after which the system creates a new generation of the key. 0 seconds indicates not set, and thus the key does not roll over.
The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and strictly less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Type the number of seconds after which the system deletes an expired generation of the key. 0 seconds indicates not set, and thus the key does not expire.
The value of the expiration period must be more than the value of the rollover period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
Signature Validity Period
Type the number of seconds after which the system no longer uses the expired signature. 0 seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
604800
(one week)
Signature Publication Period
Type the number of seconds after which the system creates a new signature. 0 seconds indicates not set, and thus the system does not cache the signature.
After you create a DNSSEC key, you can modify it as necessary. For example, if you created a disabled key that you are now ready to put into production, you can change the state of the key to enabled.
2.
Click DNSSEC Key List.
4.
Modify the settings of the key as required.
For example, to disable the key, select Disabled from the State list.
5.
Click Update.
You can delete a DNSSEC key, for example, when you perform an emergency rollover of a compromised key. For more information about emergency rollover, see Performing a manual rollover of a key.
Warning: If you delete a key that is associated with a zone that is available (enabled and online), if there are no other enabled keys of that type associated with the zone, the status of the zone immediately becomes offline.
2.
Click DNSSEC Key List.
4.
Click Delete.
5.
Click Delete again to delete the key.
You can modify a generation of a DNSSEC key, for example, when you perform an emergency rollover of a compromised key for which you do not have a standby key. For more information about emergency rollover, see Performing a manual rollover of a key.
Warning: F5 Networks recommends that you modify only the Rollover Time and Expiration Time settings of a generation of a key. Modifying the ID or Public Key settings can cause the system to return denial of service messages rather than signed responses.
2.
Click DNSSEC Key List.
4.
Modify the Rollover Time or Expiration Time settings of a generation of a key, using the information in Table 10.2 or the online help to assist you.
5.
Click Update.
Important: Do not modify this setting.
Important: Do not modify this setting.
Type the exact time that you want the system to create and begin to use a new generation of the key.
Note: Modifying this setting does not affect the value of the rollover and expiration periods of the key.
Note: Modifying this setting does not affect the value of the rollover and expiration periods of the key.
If necessary, you can manually perform an emergency rollover of a compromised key. If, when you created the key, you created a duplicate of the key (a standby key) with a different name and disabled the standby key, manually rolling over the key is easier.
2.
Click DNSSEC Key List.
4.
From the State list, select Enabled.
5.
Click Update.
6.
Provide the records for the compromised key and the newly enabled key to the administrator of the parent zone.
After the administrator has loaded the newly active key records to the zone and the records have been signed, complete the remainder of the steps in this procedure.
7.
Expand Global Traffic and click DNSSEC Key List.
9.
Click Delete.
10.
Click Delete again to delete the key.
2.
Click DNSSEC Key List.
4.
From the State list, select Enabled.
5.
Click Update.
6.
Click DNSSEC Key List.
8.
Click Delete.
9.
Click Delete again to delete the key.
2.
Click DNSSEC Key List.
4.
Click Generations.
5.
Change the Rollover Time to todays date and the current time.
6.
Change the Expiration Time to todays date and a future time.
Important: This date must be no sooner than the maximum TTL of the key. Additionally, this date must also allow time for you to perform step 6. Your BIND administrator can provide you with the maximum TTL of the key.
After the administrator configures the zone with the new DS record and the system creates a new signature, complete the remainder of the steps in this procedure.
8.
Expand Global Traffic and click DNSSEC Key List.
10.
Click Generations.
12.
Click Delete.
13.
Click Delete again to delete the generation of the key.
The system rolls over this generation of the key at the time specified in the Rollover Time setting. The system removes the old generation of the key at the time specified in the Expiration Time setting.
2.
Click DNSSEC Key List.
4.
Click Generations.
5.
Change the Rollover Time to todays date and the current time.
6.
Change the Expiration Time to a future date.
Important: This date must be no sooner than the maximum TTL of the zone. Additionally, this date must also allow time for you to perform step 6. Your BIND administrator can provide you with the maximum TTL of the key.
7.
Click Update.
The system rolls over this generation of the key at the time specified in the Rollover Time setting. The system removes the old generation of the key at the time specified in the Expiration Time setting.
DNSSEC zones map a domain name to a set of DNSSEC keys that the system uses to sign DNSSEC-compliant nameserver responses to DNS queries. You can create, modify, or delete a DNSSSEC zone.
Note: Only users with Administrator or Resource Administrator roles can create, modify, and delete DNSSEC zones.
You can create a DNSSEC zone, but before the Global Traffic Manager can sign requests to that zone, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone. For more information about DNSSEC keys, see Managing DNSSEC keys.
2.
Click DNSSEC Zone List.
3.
Click Create.
5.
Click Finished.
Warning: When you click Finished, even if you selected Enabled from the State list, if there is not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Type a the name of the zone for which you want the system to sign responses. The name should be a subset of the name of the wide IP within which the zone resides. For example, if the wide IP is named www.siterequest.com, name the zone siterequest.com.
Note: You can associate the same zone-signing key with multiple zones.
Note: You can associate the same key-signing key with multiple zones.
2.
Click DNSSEC Zone List.
After you create a DNSSEC zone, you can modify it as necessary. For example, if you created a disabled zone that you are now ready to put into production, you can change the state of the zone to enabled.
2.
Click DNSSEC Zone List.
5.
Click Update.
You can delete a DNSSEC zone at any time, but once you delete the zone, the system no longer signs DNSSEC requests for the domain that zone represents.
2.
Click DNSSEC Zone List.
4.
Click Delete.
5.
Click Delete again to delete the zone.
Your configuration of BIND is independent of the configuration of DNSSEC on the Global Traffic Manager. If you want to use BIND for delegation or other tasks, you must add the DNSSEC resource records to your BIND configuration; otherwise, BIND is not aware of these records. If you do this, you can view the DNSSEC resource records in Zone Runner.
1.
Click ZoneRunner.
2.
From the Type list, select the type of record that you want to view.
3.
Click Search.
The system returns records of the type you selected. Note that a value of 0 (zero) seconds in the TTL column indicates that the TTL is not set.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)