AskF5 - Manual Chapter - Configuring DNSSEC

1/2/2017
AskF5|ManualChapter:ConfiguringDNSSEC
(/)
Print
Applies To:
HideVersions
BIG-IP LTM
11.3.0
ManualChapter:
ConfiguringDNSSEC
BIG-IP GTM
11.3.0
Overview: Conguring DNSSEC

YoucanuseBIGIPGlobalTrafficManager(GTM)toensurethatallresponsestoDNSrelatedtrafficcomply
withtheDNSSECsecurityprotocol.ToconfigureDNSSECcompliance,youcreateDNSSECkeysigningand
zonesigningkeysandaDNSSECzone.Thenyouassignatleastoneenabledkeysigningkeyandone
enabledzonesigningkeytothezone.
Trafficflowwhen
BIGIPGTMisDNSSECauthoritativenameserver
How do I prepare for a manual rollover of a DNSSEC key?

WhenyoucreateDNSSECkeysigningkeysandDNSSECzonesigningkeys,itisimportanttocreatea
disabledstandbyversionofeachkeythathasasimilarname.Todoso,associatebothpairsofkeyswiththe
samezone.Thispreparesyoutoeasilyperformamanualrolloverofthekeysshouldanenabledkeybecome
compromised.
About enhancing DNSSEC key security

https://support.f5.com/kb/enus/products/bigip_ltm/manuals/product/bigipdnsservicesimplementations1130/2.print.html
1/5
1/2/2017
ToenhanceDNSSECkeysecurity,BIGIPGlobalTrafficManager(GTM)usesanautomatickeyrollover
processthatusesoverlappinggenerationsofakeytoensurethatBIGIPGTMcanalwaysrespondtoqueries
withDNSSECcompliantresponses.BIGIPGTMdynamicallycreatesnewgenerationsofeachkeybasedon
thevaluesoftheRolloverPeriodandExpirationPeriodofthekey.
ThefirstgenerationofakeyhasanIDof0(zero).EachtimeBIGIPGTMdynamicallycreatesanew
generationofakey,theIDincrementsbyone.Overtime,eachgenerationofakeyoverlapstheprevious
generationofthekey.Whenagenerationofakeyexpires,BIGIPGTMautomaticallyremovesthatgeneration
ofthekeyfromtheconfiguration.ThevalueoftheTTL(timetolive)ofakeyspecifieshowlongaclient
resolvercancachethekey.
Overlapping
generationsofakey
Task summary
PerformthesetasksonBIGIPGTMtosecureyourDNSinfrastructure.
Creating listeners to identify DNS trac

CreatetwolistenerstoidentifyDNStrafficforwhichBIGIPGTMisresponsible.Createonelistenerthatuses
theUDPprotocolandonethatusestheTCPprotocol.
Note:DNSzonetransfersuseTCPport53.IfyoudonotconfigurealistenerforTCPtheclientmightreceive
theerror:connectionrefusedorTCPRSTs.
1.OntheMaintab,clickGlobalTraffic>Listeners.TheListenersListscreenopens.
2.ClickCreate.ThenewListenersscreenopens.
3.IntheDestinationfield,typetheIPaddressonwhichBIGIPGTMlistensfornetworktraffic.The
destinationisaselfIPaddressonBIGIPGTM.
2/5
1/2/2017
4.ClickFinished.
CreateanotherlistenerwiththesameIPaddress,butselectTCPfromtheProtocollist.
Creating DNSSEC key-signing keys

EnsurethatthetimesettingonGTMissynchronizedwiththeNTPserversonyournetwork.Thisensuresthat
eachGTMinasynchronizationgroupisreferencingthesametimewhengeneratingkeys.
Determinethevaluesyouwanttoconfigurefortherolloverperiod,expirationperiod,andTTLofthekey,using
thefollowingcriteria:
TheamountoftimerequiredtosendtheDSrecordsforthezonetowhichthiskeyisassociatedtothe
organizationthatmanagestheparentzone.
Thevalueoftherolloverperiodmustbegreaterthanhalfthevalueoftheexpirationperiod,aswellas
lessthanthevalueoftheexpirationperiod.
Thedifferencebetweenthevaluesoftherolloverandexpirationperiodsmustbemorethanthevalueof
theTTL.
Note:ThevaluesrecommendedinthisprocedurearebasedonthevaluesintheNISTSecureDomainName
System(DNS)DeploymentGuide.
CreatekeysigningkeysforBIGIPGTMtouseintheDNSSECauthenticationprocess.
1.OntheMaintab,clickGlobalTraffic>DNSSECKeyList.TheDNSSECKeyListscreenopens.
2.ClickCreate.TheNewDNSSECKeyscreenopens.
3.IntheNamefield,typeanameforthekey.Zonenamesarelimitedto 63 characters.
4.FromtheAlgorithmlist,selectthealgorithmthesystemusestocreatethekey.Youroptionsare
RSA/SHA1,RSA/SHA256,andRSA/SHA512.
5.IntheBitWidthfield,type 2048 .
6.FromtheUseFIPSlist,ifyoursystemhasaFIPShardwaresecuritymodule(HSM),selectEnabled.
7.FromtheTypelist,selectKeySigningKey.
8.FromtheStatelist,selectEnabled.
9.IntheTTLfield,acceptthedefaultvalueof 86400 (thenumberofsecondsinoneday.)Thisvalue
specifieshowlongaclientresolvercancachethekey.Thisvaluemustbelessthanthedifference
betweenthevaluesoftherolloverandexpirationperiodsofthekeyotherwise,aclientcanmakea
queryandthesystemcansendavalidkeythattheclientcannotrecognize.
10.FortheRolloverPeriodsetting,intheDaysfield,type 340 .
11.FortheExpirationPeriodsetting,intheDaysfield,type 365 .Zerosecondsindicatesnotset,andthus
thekeydoesnotexpire.
Tip:TheNationalInstituteofStandardsandTechnology(NIST)recommendsthatakeysigningkey
expireonceayear.
12.FortheSignatureValidityPeriodsetting,acceptthedefaultvalueofsevendays.Thisvaluemustbe
greaterthanthevalueofthesignaturepublicationperiod.Zerosecondsindicatesnotset,andthusthe
serververifyingthesignatureneversucceeds,becausethesignatureisalwaysexpired.
13.FortheSignaturePublicationPeriodsetting,acceptthedefaultvalueoffourdaysand16hours.This
valuemustbelessthanthevalueofthesignaturevalidityperiod.Zerosecondsindicatesnotset,and
thusthesignatureisnotcached.
14.ClickFinished.
15.Tocreateastandbykeyforemergencyrolloverpurposes,repeatthisprocedureusingasimilarname,
andselectDisabledfromtheStatelist.
3/5
1/2/2017
Creating DNSSEC zone-signing keys

EnsurethatthetimesettingonGTMissynchronizedwiththeNTPserversonyournetwork.Thisensuresthat
eachGTMinasynchronizationgroupisreferencingthesametimewhengeneratingkeys.
Determinethevaluesyouwanttoconfigurefortherolloverperiod,expirationperiod,andTTLofthekey,using
thefollowingcriteria:
TheamountoftimerequiredtosendtheDSrecordsforthezonetowhichthiskeyisassociatedtothe
organizationthatmanagestheparentzone.
Thevalueoftherolloverperiodmustbegreaterthanhalfthevalueoftheexpirationperiod,aswellas
lessthanthevalueoftheexpirationperiod.
Thedifferencebetweenthevaluesoftherolloverandexpirationperiodsmustbemorethanthevalueof
theTTL.
Note:ThevaluesrecommendedinthisprocedurearebasedonthevaluesintheNISTSecureDomainName
System(DNS)DeploymentGuide.
CreatezonesigningkeysforBIGIPGTMtouseintheDNSSECauthenticationprocess.
1.OntheMaintab,clickGlobalTraffic>DNSSECKeyList.TheDNSSECKeyListscreenopens.
2.ClickCreate.TheNewDNSSECKeyscreenopens.
3.IntheNamefield,typeanameforthekey.Zonenamesarelimitedto 63 characters.
4.IntheBitWidthfield,type 1024 .
5.FromtheUseFIPSlist,ifyoursystemhasaFIPShardwaresecuritymodule(HSM),selectEnabled.
6.FromtheTypelist,selectZoneSigningKey.
8.IntheTTLfield,acceptthedefaultvalueof 86400 (thenumberofsecondsinoneday.)Thisvalue
specifieshowlongaclientresolvercancachethekey.Thisvaluemustbelessthanthedifference
betweenthevaluesoftherolloverandexpirationperiodsofthekeyotherwise,aclientcanmakea
queryandthesystemcansendavalidkeythattheclientcannotrecognize.
9.FortheRolloverPeriodsetting,intheDaysfield,type 21 .
10.FortheExpirationPeriodsetting,intheDaysfield,type 30 .Zerosecondsindicatesnotset,andthus
thekeydoesnotexpire.
11.FortheSignatureValidityPeriodsetting,acceptthedefaultvalueofsevendays.Thisvaluemustbe
greaterthanthevalueofthesignaturepublicationperiod.Zerosecondsindicatesnotset,andthusthe
serververifyingthesignatureneversucceeds,becausethesignatureisalwaysexpired.
12.FortheSignaturePublicationPeriodsetting,acceptthedefaultvalueoffourdaysand16hours.This
valuemustbelessthanthevalueofthesignaturevalidityperiod.Zerosecondsindicatesnotset,and
thusthesignatureisnotcached.
13.ClickFinished.
14.Tocreateastandbykeyforemergencyrolloverpurposes,repeatthisprocedureusingasimilarname,
andselectDisabledfromtheStatelist.
Creating DNSSEC zones

BeforeBIGIPGTMcansignzonerequests,youmustassignatleastoneenabledzonesigningandone
enabledkeysigningkeytothezone.
1.OntheMaintab,clickGlobalTraffic>DNSSECZoneList.TheDNSSECZoneListscreenopens.
2.ClickCreate.TheNewDNSSECZonescreenopens.
3.IntheNamefield,typeadomainname.Forexample,useazonenameof siterequest.com tohandle
DNSSECrequestsfor www.siterequest.com and *.www.sitrequest.com .
4/5
1/2/2017
5.FortheZoneSigningKeysetting,assignatleastoneenabledzonesigningkeytothezone.Youcan
associatethesamezonesigningkeywithmultiplezones.
6.FortheKeySigningKeysetting,assignatleastoneenabledkeysigningkeytothezone.Youcan
associatethesamekeysigningkeywithmultiplezones.
7.ClickFinished.EvenifyouselectedEnabledfromtheStatelist,iftherearenotatleastonezonesigning
andonekeysigningkeyintheActivecolumn,thestatusofthezonechangestooffline.
8.UploadtheDSrecordsforthiszonetotheorganizationthatmanagestheparentzone.The
administratorsoftheparentzonesigntheDSrecordwiththeirownkeyanduploadittotheirzone.You
canfindtheDSrecordsinthefile/config/gtm/dsset[dnssec.zone.name](wherezoneisthenameofthe
zoneyouareconfiguring).
9.UploadtheDSrecordsforthiszonetotheorganizationthatmanagestheparentzone.The
administratorsoftheparentzonesigntheDSrecordwiththeirownkeyanduploadittotheirzone.You
canfindtheDSrecordsinthefile/config/gtm/dsset[dnssec.zone.name](wherezoneisthenameofthe
zoneyouareconfiguring).
UploadtheDSrecordsforthiszonetotheorganizationthatmanagestheparentzone.Theadministratorsof
theparentzonesigntheDSrecordwiththeirownkeyanduploadittotheirzone.YoucanfindtheDSrecords
inthefile/config/gtm/dsset[dnssec.zone.name](wherezoneisthenameofthezoneyouareconfiguring).
Conrming that GTM is signing DNSSEC records

AfteryoucreateDNSSECzonesandzonesigningkeys,youcanconfirmthatGTMissigningtheDNSSEC
records.
1.Logontothecommandlineinterfaceofaclient.
2.Attheprompt,type:dig@<IPaddressofGTMlistener>+dnssecsiterequest.comGTM
returnsthesignedRRSIGrecordsforthezone.
Viewing DNSSEC records in ZoneRunner

EnsurethatallDNSSECrecordsareaddedtotheBINDconfiguration.
ViewtheDNSSECrecordsusingZoneRunner.
1.OntheMaintab,clickGlobalTraffic>ZoneRunner>ResourceRecordList.TheResourceRecordList
screenopens.
2.FromtheViewNamelist,selectthenameoftheviewthatcontainstheresourcerecordsyouwantto
view.
3.FromtheZoneNamelist,selectthezoneforwhichyouwanttoviewresourcerecords.
4.FromtheTypelist,selectthetypeofresourcerecordsyouwanttoview.
5.ClickSearch.
Viewtheresourcerecordsthatdisplay.
Implementation result
BIGIPGTMisnowconfiguredtorespondtoDNSquerieswithDNSSECcompliantresponses.
5/5

AskF5 - Manual Chapter - Configuring DNSSEC

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

AskF5 - Manual Chapter - Configuring DNSSEC

Încărcat de

Drepturi de autor:

Formate disponibile

1/2/2017

Overview: Conguring DNSSEC

How do I prepare for a manual rollover of a DNSSEC key?

About enhancing DNSSEC key security

Creating listeners to identify DNS trac

Creating DNSSEC key-signing keys

Creating DNSSEC zone-signing keys

Creating DNSSEC zones

Conrming that GTM is signing DNSSEC records

Viewing DNSSEC records in ZoneRunner

S-ar putea să vă placă și