Applies To:

Show Versions Show Versions

Manual Chapter: Configuring DNSSEC
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Introducing DNSSEC

About DNSSEC

Domain Name System Security Extensions (DNSSEC) is an industry-standard protocol that functions as an extension to the Domain Name System (DNS) protocol. BIG-IP Global Traffic Manager (GTM) uses DNSSEC to guarantee the authenticity of DNS responses and to return Denial of Existence responses thus protecting your network against DNS protocol and DNS server attacks.

About DNSSEC keys

BIG-IP Global Traffic Manager (GTM) uses two types of DNSSEC keys to return DNSSEC-compliant responses: a zone-signing key to sign all of the records in a DNSSEC resource record set, and a key-signing key to sign only the DNSKEY record (that is the zone-signing key) of a DNSSEC record set.

How do I prepare for a manual rollover of a DNSSEC key?

When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys, should an enabled key become compromised.

About enhancing DNSSEC key security

To enhance DNSSEC key security, when automatic key management is configured, BIG-IP Global Traffic Manager (GTM) uses an automatic key rollover process that uses overlapping generations of a key to ensure that BIG-IP GTM can always respond to queries with DNSSEC-compliant responses. BIG-IP GTM dynamically creates new generations of each key based on the values of the Rollover Period and Expiration Period of the key.

The first generation of a key has an ID of 0 (zero). Each time BIG-IP GTM dynamically creates a new generation of a key, the ID increments by one. Over time, each generation of a key overlaps the previous generation of the key ensuring that GTM can respond to a DNSSEC query even if one generation of a key becomes unavailable. When a generation of a key expires, BIG-IP GTM automatically removes that generation of the key from the configuration. The value of the TTL (time-to-live) of a key specifies how long a client resolver can cache the key.

Overlapping generations of a key Overlapping generations of a key

About SEP records and DNSSEC

Each DNSSEC zone has a list of read-only Security Entry Point (SEP) records. The BIG-IP system creates these records automatically when you create a zone. These SEP records consist of Delegation Signer (DS) and DNSKey records.

Obtaining a trust or DLV anchor

Determine the signed zones from which you want to obtain a trust or DLV anchor.
If you want the BIG-IP system to cache a validated response for the signed zones, you need to obtain a trust or DLV anchor.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click the name of the DNSSEC zone for which you want to view or copy SEP records.
  3. On the menu bar, click SEP Records. The SEP records display for each generation of a key.
  4. Copy the trust or DLV anchor from the DNSKEY Record field.
Add the trust or DLV anchor to the validating cache resolver DNS cache.

About configuring DNSSEC

You can use BIG-IP Global Traffic Manager (GTM) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.

Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver

Configuring basic DNSSEC

You can secure the DNS traffic handled by BIG-IP GTM using the DNSSEC protocol.

Task summary

Perform these tasks to configure DNSSEC on GTM.

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. If you have multiple BIG-IP GTM systems in a device group, perform this procedure on only one system.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click Create. The new Listeners screen opens.
  3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
  4. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.

Creating automatically managed DNSSEC zone-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create automatically-managed zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30. Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.
Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create manually-managed zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual. The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365. Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC key-signing keys

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.
Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select None.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual. The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. You can associate the same key-signing key with multiple zones.
  7. Click Finished. Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that GTM is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of GTM listener> +dnssec <name of zone> GTM returns the signed RRSIG records for the zone.

Configuring DNSSEC with an external HSM

You can configure BIG-IP GTM to use the DNSSEC protocol to secure the DNS traffic handled by GTM in conjunction with an external HSM system.

Task summary

Perform these tasks to configure DNSSEC on GTM.

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. If you have multiple BIG-IP GTM systems in a device group, perform this procedure on only one system.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click Create. The new Listeners screen opens.
  3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
  4. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.

Creating automatically managed DNSSEC zone-signing keys for use with an external HSM

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30. Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys for use with an external HSM

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.
Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual. The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys for use with an external HSM

Ensure that the time setting on BIG-IP GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365. Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC key-signing keys for use with an external HSM

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.
Important: Certificate and key file pairs must have the same name, for example, exthsm.crt and exthsm.key.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select External, if you use a network HSM.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Manual. The Key Settings area displays Certificate and Private Key lists.
  9. In the Key Settings area, select a certificate/key pair:
    1. From the Certificate list, select a certificate.
    2. From the Private Key list, select the key that matches the certificate you selected.
  10. Click Finished.
  11. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. You can associate the same key-signing key with multiple zones.
  7. Click Finished. Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that GTM is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of GTM listener> +dnssec <name of zone> GTM returns the signed RRSIG records for the zone.

Configuring DNSSEC with an internal HSM

You can configure BIG-IP GTM to use the DNSSEC protocol to secure the DNS traffic handled by GTM in conjunction with an internal HSM system.

Task summary

Perform these tasks to configure DNSSEC on GTM.

Creating listeners to identify DNS traffic

Create two listeners to identify DNS traffic for which BIG-IP GTM is responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol. If you have multiple BIG-IP GTM systems in a device group, perform this procedure on only one system.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client might receive the error: connection refused or TCP RSTs.
  1. On the Main tab, click Global Traffic > Listeners. The Listeners List screen opens.
  2. Click Create. The new Listeners screen opens.
  3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
  4. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.

Creating automatically managed DNSSEC zone-signing keys for use with an internal HSM

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create zone-signing keys for BIG-IP GTM to use in the DNSSEC authentication process in conjunction with an internal HSM.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Zone Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select Internal, if you use a FIPs internal HSM card.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 1024.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 21.
  12. For the Expiration Period setting, in the Days field, type 30. Zero seconds indicates not set, and thus the key does not expire.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys for use with an internal HSM

Ensure that the time setting on GTM is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys.

Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

  • The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
  • The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
  • The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name System (DNS) Deployment Guide.
Create key-signing keys for BIG-IP GTM to use in the DNSSEC authentication process in conjunction with an internal HSM.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click Create. The New DNSSEC Key screen opens.
  3. In the Name field, type a name for the key. Zone names are limited to 63 characters.
  4. From the Type list, select Key Signing Key.
  5. From the State list, select Enabled.
  6. From the Hardware Security Module list, select Internal, if you use a FIPs internal HSM card.
  7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.
  8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.
  9. In the Bit Width field, type 2048.
  10. In the TTL field, accept the default value of 86400 (the number of seconds in one day.) This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
  11. For the Rollover Period setting, in the Days field, type 340.
  12. For the Expiration Period setting, in the Days field, type 365. Zero seconds indicates not set, and thus the key does not expire.
    Tip: The National Institute of Standards and Technology (NIST) recommends that a key-signing key expire once a year.
  13. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period. Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.
  14. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period. Zero seconds indicates not set, and thus the signature is not cached.
  15. Click Finished.
  16. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.

Creating DNSSEC zones

Before BIG-IP GTM can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click Create. The New DNSSEC Zone screen opens.
  3. In the Name field, type a domain name. For example, use a zone name of siterequest.com to handle DNSSEC requests for www.siterequest.com and *.www.sitrequest.com.
  4. From the State list, select Enabled.
  5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. You can associate the same zone-signing key with multiple zones.
  6. For the Key Signing Key setting, assign at least one enabled key-signing key to the zone. You can associate the same key-signing key with multiple zones.
  7. Click Finished. Even if you selected Enabled from the State list, if there are not at least one zone-signing and one key-signing key in the Active column, the status of the zone changes to offline.
Upload the DS records for this zone to the organization that manages the parent zone. The administrators of the parent zone sign the DS record with their own key and upload it to their zone. You can find the DS records in the Configuration utility.

Confirming that GTM is signing DNSSEC records

After you create DNSSEC zones and zone-signing keys, you can confirm that GTM is signing the DNSSEC records.
  1. Log on to the command-line interface of a client.
  2. At the prompt, type: dig @<IP address of GTM listener> +dnssec <name of zone> GTM returns the signed RRSIG records for the zone.

Troubleshooting DNSSEC on the BIG-IP system

On BIG-IP GTM, you can view DNSSEC records in ZoneRunner, access and view DNSSEC SEP Records, and modify generations of a DNSSEC key.

Task summary

When you want to troubleshoot the DNSSEC configuration on GTM, perform these tasks.

Viewing DNSSEC records in ZoneRunner

Ensure that all DNSSEC records are added to the BIND configuration.
View the DNSSEC records using ZoneRunner when you want to evaluate how your network is handling DNSSEC traffic.
  1. On the Main tab, click Global Traffic > ZoneRunner > Resource Record List. The Resource Record List screen opens.
  2. From the View Name list, select the name of the view that contains the resource records you want to view.
  3. From the Zone Name list, select the zone for which you want to view resource records.
  4. From the Type list, select the type of resource records you want to view.
  5. Click Search.
View the resource records that display.

Accessing DNSSEC SEP records

Ensure that the BIG-IP system contains at least one DNSSEC zone.
Access the SEP records associated with a DNSSEC zone, when you want to copy the DS or DNSKEY records for the zone.
  1. On the Main tab, click Global Traffic > DNSSEC Zone List. The DNSSEC Zone List screen opens.
  2. Click the name of the DNSSEC zone for which you want to view or copy SEP records.
  3. On the menu bar, click SEP Records. The SEP records display for each generation of a key.
  4. From the Generation list, select a generation of the key-signing key. The DS Record and DNSKEY Record fields display read-only Security Entry Point (SEP) records, specifically the DS (Delegation Signer) and DNSKey records.

Modifying generations of a DNSSEC key

Modify a generation of a DNSSEC key, when you want to perform an emergency rollover of a compromised key for which you do not have a standby key.
  1. On the Main tab, click Global Traffic > DNSSEC Key List. The DNSSEC Key List screen opens.
  2. Click a number in the Generations column. Information about this generation of the key displays.
    Column Title Contains
    ID Generation number of the key
    Key Tag Identifier (hash) of this generation of the key
    Creator Host name of BIG-IP GTM that created this generation of the key
    Rollover Time Time this generation of the key will roll over
    Expiration Time Time this generation of the key will expire
  3. Click the number in the ID column. The general properties of the generation of the key display.
  4. Select Specify from the Rollover Time list, and then select the exact time that you want the BIG-IP system to create and begin to use a new generation of this key. Modifying this setting does not affect the value of the rollover and expiration periods of the key.
  5. Select Specify from the Expiration Time list, and then select the exact time that you want this generation of the key to expire. Modifying this setting does not affect the value of the rollover and expiration periods of the key.
  6. Click Update.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)