81BIG-IP®DNS Services: Implementations

Creating automatically managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP®GTM™is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys. Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

• The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.

• The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.

• The difference between the values of the rollover and expiration periods must be more than the value of the TTL.

Note: The values recommended in this procedure are based on the values in the NIST Secure Domain Name

System (DNS) Deployment Guide.

Create automatically-managed zone-signing keys for GTM to use in the DNSSEC authentication process.

1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List. The DNSSEC Key List screen opens.

2. Click Create.

The New DNSSEC Key screen opens.

3. In the Name field, type a name for the key. Zone names are limited to63characters.

4. From the Type list, select Zone Signing Key.

5. From the State list, select Enabled.

6. From the Hardware Security Module list, select None.

7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.

8. From the Key Management list, select Automatic. The Key Settings area displays fields for key configuration.

9. In the Bit Width field, type1024.

10.In the TTL field, accept the default value of86400(the number of seconds in one day.)

This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.

11.For the Rollover Period setting, in the Days field, type21.

12.For the Expiration Period setting, in the Days field, type30. Zero seconds indicates not set, and thus the key does not expire.

13.For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.

Zero seconds indicates not set, and thus the server verifying the signature never succeeds, because the signature is always expired.

14.For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.

15.Click Finished.

16.To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating manually managed DNSSEC zone-signing keys

Ensure that the time setting on BIG-IP®GTM™is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys. When you plan to manually create keys, install the certificate and key pairs on the BIG-IP system, before you attempt to create DNSSEC keys.

Important: Certificate and key file pairs must have the same name, for example,exthsm.crtand

exthsm.key.

Create manually-managed zone-signing keys for GTM to use in the DNSSEC authentication process.

1. On the Main tab, click DNS > Delivery > Keys > DNSSEC Key List. The DNSSEC Key List screen opens.

2. Click Create.

The New DNSSEC Key screen opens.

3. In the Name field, type a name for the key. Zone names are limited to63characters.

4. From the Type list, select Zone Signing Key.

5. From the State list, select Enabled.

6. From the Hardware Security Module list, select None.

7. From the Algorithm list, select the digest algorithm the system uses to generate the key signature. Your options are RSA/SHA1, RSA/SHA256, and RSA/SHA512.

8. From the Key Management list, select Manual.

The Key Settings area displays Certificate and Private Key lists.

9. In the Key Settings area, select a certificate/key pair: a) From the Certificate list, select a certificate.

b) From the Private Key list, select the key that matches the certificate you selected.

10.Click Finished.

11.To create a standby key for emergency rollover purposes, repeat these steps using a similar name, and select Disabled from the State list.

Creating automatically managed DNSSEC key-signing keys

Ensure that the time setting on BIG-IP®GTM™is synchronized with the NTP servers on your network. This ensures that each GTM in a synchronization group is referencing the same time when generating keys. Determine the values you want to configure for the rollover period, expiration period, and TTL of the keys, using the following criteria:

• The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.

83