Applies To:

Show Versions Show Versions

Manual Chapter: Securing Your DNS Infrastructure
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

The Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. The BIG-IP® system uses DNSSEC to guarantee the authenticity of responses that a domain name server sends to a client and to return authenticated denial of existence responses.
You can use the DNSSEC feature to protect your network infrastructure from DNS protocol and server attacks such as spoofing, ID hacking, cache poisoning, and denial of service.
You can use the BIG-IP® Global Traffic Manager system to manage incoming wide IP traffic, load balance that traffic to the appropriate network resources, and to serve as the authoritative name server for wide IPs and all other DNS-related traffic as shown in Figure 4.1. Additionally, you can use the system to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.
Figure 4.1 Example of the flow of traffic when the Global Traffic Manager is a DNSSEC authoritative name server
This implementation covers the tasks necessary to configure a BIG-IP system to be DNSSEC-compliant. This implementation begins after you run the Setup utility and configure the network and system settings for the BIG-IP system that you are adding to the network.
The Setup utility guides you through licensing the product, assigning an IP address to the management port of the system, and configuring the passwords for the root and administrator accounts. While using the Setup utility, you also configure some of the basic network and system settings for the system, such as setting a self IP address and assigning the system to a VLAN.
The network and system settings form the basis of a BIG-IP system configuration. Because these settings have a variety of applications, they are discussed in the TMOS® Management Guide for BIG-IP® Systems. F5 Networks highly recommends that you review this guide to ensure that you configure the basic network and system settings in a way that best fits the needs of your network and your DNS traffic.
Important: Only users with Administrator or Resource Administrator roles assigned to their user accounts on the BIG-IP system can perform these tasks.
Note: All examples in this document use only private class IP addresses. When you set up the configurations we describe, you must use valid IP addresses suitable to your own network in place of our sample addresses.
This implementation describes three different scenarios in which you want to secure your DNS infrastructure to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.
The first scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that contains other BIG-IP systems.
To begin the tasks to configure this scenario, see Adding a Global Traffic Manager system to a network that contains other BIG-IP systems.
The second scenario describes the tasks that you perform if you want to add a new Global Traffic Manager system to a network that already contains a Global Traffic Manager system.
To begin the tasks to configure this scenario, see Adding an additional Global Traffic Manager system to a network.
In these two cases, after you perform the tasks necessary to add the new system to your network, you configure the DNSSEC keys and zones that the system uses to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol.
The third scenario describes the tasks that you perform if you are upgrading an existing Global Traffic Manager system, which is already set up and configured on the network, and you want to add DNSSEC signing of DNS responses.
To begin the tasks to configure this scenario, see Configuring DNSSEC keys and zones.
If you are adding a Global Traffic Manager system to a network that contains other BIG-IP systems, perform the following tasks.
When you are adding a Global Traffic Manager system to a network that contains other BIG-IP systems, the first task you must perform is to specify a data center on the Global Traffic Manager system.
1.
Expand Global Traffic and click Data Centers.
2.
Click Create.
3.
In the Name box, type a unique name to identify the data center.
For example, type Secure Los Angeles.
4.
In the Location box, type the location of the data center.
For example, type Los Angeles.
5.
In the Contact box, type the name of the system administrator or department that is responsible for managing the data center.
For example, type DNSSEC Administrator.
6.
Click Finished.
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to define a server on the Global Traffic Manager system that you are adding to the network.
1.
Expand Global Traffic and click Servers.
2.
Click Create.
3.
In the Name box, type a unique name for the Global Traffic Manager system that you are currently configuring.
For example, type DNSSEC server.
4.
From the Product list, select your product type:
If the unit you are configuring is a redundant system configuration, select BIG-IP System (Redundant).
5.
For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the system that you are currently configuring. Then click Add.
For example, type 192.168.34.1.
6.
From the Data Center list, select the name of the data center that you specified in Specifying a data center.
For example, select Secure Los Angeles.
7.
Click Finished.
The next task that you perform is to synchronize the time setting on the Global Traffic Manager system with the other DNS servers in your network and on the internet. To do this, you define the Network Time Protocol (NTP) server that the system references. This server ensures that the system references the correct time when creating and removing DNSSEC data.
1.
Expand System and click Configuration.
3.
For the Time Server List setting, in the Address box, type the IP address of the NTP server.
For example, type 192.168.5.15.
4.
Click Add, and then click Update.
The next task that you perform is to create a synchronization group on the Global Traffic Manager system. BIG-IP systems that are in the same synchronization group exchange heartbeat messages and share probing responsibility. Synchronization ensures the rapid distribution of configuration settings to the other systems that belong to the same synchronization group.
1.
Expand System and then click Configuration.
3.
In the Synchronization Group Name box, type a unique name for the group.
For example, type DNSSEC.
4.
Click Update.
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to activate synchronization on the Global Traffic Manager system. This turns on synchronization for the synchronization group you just created.
1.
Expand System and then click Configuration.
3.
Check the Synchronization box.
4.
Click Update.
The next task that you perform to add a Global Traffic Manager system to a network that contains other BIG-IP systems is to run a utility to add the Global Traffic Manager system to the network. Run one of the following utilities based on your network configuration:
3.
Press the Enter key.
The utility exchanges the appropriate SSL certificates, and authorizes communications between the systems.
3.
Press the Enter key.
The utility exchanges the appropriate SSL certificates, authorizes communications between the systems, and automatically updates the big3d agents on all the devices.
The next task that you perform is to configure how the Global Traffic Manager system responds to DNS traffic. To do this, you create a listener.
A listener is a specialized resource that is assigned a specific IP address and uses port 53, the DNS query port. When traffic is sent to that IP address, the listener alerts the system, allowing it to handle the traffic locally or forward the traffic to the appropriate resource.
You configure a listener using the self IP address of the Global Traffic Manager system that you are configuring when you want the system to sign the responses that it handles. You can also configure the system to sign the responses from another DNS server on your network. To do this, you create a listener using the IP address of the DNS server.
1.
Expand Global Traffic and click Listeners.
2.
Click Create.
3.
In the Destination box, type the IP address on which the Global Traffic Manager system listens for network traffic based on what you want the system to do:
If you are configuring the system to sign only wide IP responses, type the self IP address of the system that you are configuring.
If you are configuring the system as the authoritative name server for another DNS server on your network, type the IP address of the DNS server.
For example, type 192.168.34.17, the self IP address of the Global Traffic Manager system that you are configuring.
4.
From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests.
For example, select VLAN external.
5.
Click Finished.
6.
To configure the system as the authoritative name server for another DNS server, repeat steps 1 - 5, but enter the IP address of the DNS server in the Destination box.
The first task that you perform to add an additional Global Traffic Manager system to a network is to specify, on an existing Global Traffic Manager system, the data center in which the new Global Traffic Manager resides.
1.
Expand Global Traffic and click Data Centers.
2.
Click Create.
3.
In the Name box, type a unique name to identify the data center.
For example, type Secure Los Angeles.
4.
In the Location box, type the location of the data center.
For example, type Los Angeles.
5.
In the Contact box, type the name of the system administrator or department that is responsible for managing the data center.
For example, type DNSSEC Administrator.
6.
Click Finished.
The next task that you perform is to add the new system to a synchronization group. You perform this task on an existing Global Traffic Manager that is in the synchronization group to which you want to add the new Global Traffic Manager system.
1.
Expand Global Traffic and click Servers.
2.
Click Create.
3.
In the Name box, type the name of the Global Traffic Manager system that you are adding to the network.
For example, type DNSSEC server.
4.
From the Product list, select your product type:
For example, select BIG-IP System (Single).
5.
For the Address List setting, in the Address box, type the self IP address that corresponds to an external VLAN on the new Global Traffic Manager system. Then click Add.
For example, type 192.168.34.1.
7.
Click Finished.
The next task that you perform is to run the gtm_add utility. You perform this task on the new Global Traffic Manager system that you are adding to the network.
gtm_add <IP address of another Global Traffic Manager system in the synchronization group>
2.
Based on your network configuration, respond to the prompts that display.
Note: If your system has a FIPS hardware security module (HSM), the utility detects the card and prompts you for a series of responses.
The last task to add an additional Global Traffic Manager system to a network is to configure a listener on the new system using the self IP address of the new system.
1.
Expand Global Traffic and click Listeners.
2.
Click Create.
3.
In the Destination box, type the self IP address of the new Global Traffic Manager system.
For example, type 192.168.34.17.
4.
From the VLAN Traffic list, select the VLAN or VLANs on which this system listens for DNS requests.
For example, select VLAN external.
5.
Click Finished.
To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys, and then assign those keys to DNSSEC zones. Perform these tasks on the new Global Traffic Manager system that you added to your network.
The next task in this implementation is to create two DNSSEC key-signing keys. The system uses a key-signing key to sign the DNSKEY record set.
F5 Networks recommends that when you create a key, you create a disabled standby version of the key with a similar name. For example, in this task you create an enabled key-signing key named ksk1, and then create a disabled standby key named ksk2. Later in this implementation, you associate both of these keys with the same zone. This prepares you to easily perform a manual rollover of the key should the enabled key become compromised. For more information about manual rollover, see the Configuration Guide for BIG-IP® Global Traffic Manager.
1.
Expand Global Traffic and click DNSSEC Key List.
2.
Click Create.
3.
In the Name box, type a unique name for the key.
For example:
4.
In the Bit Width box, type 2048.
5.
From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
6.
From the Type list, select Key Signing Key.
7.
From the State list, make a selection based on whether you are creating the enabled or standby key.
For example:
8.
In the TTL box, accept the default value of 86400 (the number of seconds in one day).

Note: The value of the TTL specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover period and expiration period of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
9.
In the Rollover Period box, type 28987147 (the number of seconds in 11 months).

Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL.

Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete.
10.
In the Expiration Period box, type 31556952 (the number of seconds in one year).

Important: The value of the expiration period must be more than the value of the rollover period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL.

The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.

Note: After the key rolls over, you must send the DS records for the zone to which the key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete.
11.
Click Finished.
12.
To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key ksk2, and select Disabled from the State list.
The next task in this implementation is to create two DNSSEC zone-signing keys. The system uses a zone-signing key to sign all of the record sets in a zone.
F5 Networks recommends that when you create a key, you create a disabled standby version of the key with a similar name. For example, in this task you create an enabled key-signing key named zsk1, and then create a disabled standby key named zsk2. Later in this implementation, you associate both of these keys with the same zone. This prepares you to easily perform a manual rollover of the key should the enabled key become compromised. For more information about manual rollover, see the Configuration Guide for BIG-IP® Global Traffic Manager.
1.
Expand Global Traffic and click DNSSEC Key List.
2.
Click Create.
3.
In the Name box, type a unique name for the key.
For example:
4.
In the Bit Width box, type 1024.
5.
From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled.
6.
From the Type list, select Zone Signing Key.
7.
From the State list, make a selection based on whether you are creating the enabled or standby key.
8.
In the TTL box, accept the default value of 86400 (the number of seconds in one day).

Note: The value of the TTL specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover period and expiration period of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
9.
In the Rollover Period box, type 1814400 (the number of seconds in 21 days).

Important: The value of the rollover period must be greater than or equal to one third of the value of the expiration period, and less than the value of the expiration period. Additionally, the difference between the values of the rollover and expiration periods must be more than the value of the TTL.

Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete.
10.
In the Expiration Period box, type 2592000 (the number of seconds in 30 days).

Tip: The National Institute of Standards and Technology (NIST) recommends that a zone-signing key expire every 30 days.

Note: After the key rolls over, you must send the DS records for the zone to which this key is associated to the organization that manages the parent zone. Therefore, F5 Networks recommends that you base the values that you specify for the rollover and expiration periods on the time required for that communication cycle to complete.
11.
Click Finished.
12.
To create a standby key for emergency rollover purposes, repeat steps 1 - 11, but name the key zsk2, and select Disabled from the State list.
The next task in this implementation is to create a DNSSEC zone. Before the BIG-IP system can sign requests to a zone, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
In this task, to prepare for a manual rollover, you assign to the zone both the enabled and disabled key-signing and zone-signing keys that you created previously in this implementation.
1.
Expand Global Traffic and click DNSSEC Zone List.
2.
Click Create.
3.
In the Name box, type a FQDN that is a subset of the domain name.
For example, type siterequest.com.
4.
From the State list, accept the default value of Enabled.
5.
For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone.
For example, move the zsk1 and zsk2 zone-signing keys from the Available list to the Active list.
6.
For the Key Signing Key setting, assign at least one enabled key-signing key to the zone.
For example, move the ksk1 and ksk2 zone-signing keys from the Available list to the Active list.
7.
Click Finished.
8.
Upload the DS records for this zone to the organization that manages the parent zone. You can find the DS records in the file /config/gtm/dsset-<dnssec.zone.name>, where zone is the name of the zone you are configuring. In this example, the file can be found at /config/gtm/dsset-siterequest.com.
The Global Traffic Manager system is now configured to handle incoming DNS traffic and to respond to DNS queries with DNSSEC-compliant responses.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)