BIG-IP
®
Global Traffic Manager
™
:
Implementations
Table of Contents
Legal Notices...9
Acknowledgments...11
Chapter 1: Upgrading BIG-IP GTM to Version 11...13
Converting a statistics collection server to a Prober pool automatically...14
Chapter 2: Delegating DNS Traffic to Wide IPs...15
Overview: Delegating DNS traffic to wide IPs...16
About listeners...17
Task summary...17
Creating a delegated zone on a local DNS server...17
Creating a self IP address using the IP address of the legacy DNS server...17
Designating GTM as the primary server for the zone...18
Creating a listener to handle traffic for wide IPs...18
Implementation results...19
Chapter 3: Replacing a DNS Server with BIG-IP GTM...21
Overview: Replacing a DNS server with BIG-IP GTM...22
About listeners...22
Task summary...23
Configuring the legacy DNS server to allow zone file transfers...23
Acquiring zone files from the legacy DNS server...23
Creating a self IP address using the IP address of the legacy DNS server...24
Designating GTM as the primary server for the zone...24
Creating listeners to identify DNS traffic...24
Implementation results...25
Chapter 4: Sending Traffic Through BIG-IP GTM...27
Overview: Configuring GTM to pass traffic to an existing DNS server...28
About listeners...29
About Router mode...29
About Bridge mode...29
Task summary...29
Placing GTM on your network to forward traffic...29
Creating a listener to forward traffic to a DNS server on a different network segment.29 Creating a listener to forward traffic to a DNS server on the same network segment..30
Implementation results...30
3 Table of Contents
Chapter 5:
Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS Servers...31
Overview: Load balancing non-wide IP traffic to a pool of DNS servers...32
About listeners...32
Task summary...32
Creating a pool of local DNS servers...32
Creating a listener that alerts GTM to DNS queries for a pool of DNS servers...32
Implementation results...33
Chapter 6:
Load Balancing DNS Traffic Between IPv-6 Only and IPv-4 Only Clouds...35
Overview: Load balancing IPv6-only connection requests to IPv4-only servers...36
Task summary...36
Creating a custom DNS profile ...36
Assigning a DNS profile to a virtual server...37
Implementation results...38
Chapter 7: Configuring GTM on a Network with One Route Domain...39
Overview: How do I deploy BIG-IP GTM on a network with one route domain?...40
Task summary...40
Creating VLANs for a route domain on BIG-IP LTM...41
Creating a route domain on BIG-IP LTM...41
Creating a self IP address for a route domain on BIG-IP LTM...42
Defining a server for a route domain on BIG-IP GTM...42
Implementation results...43
Chapter 8: Configuring GTM on a Network with Multiple Route Domains...45
Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?...46
Task summary...47
Creating VLANs for a route domain on BIG-IP LTM...48
Creating a route domain on BIG-IP LTM...48
Creating a self IP address for a route domain on BIG-IP LTM...49
Disabling auto-discovery at the global-level on BIG-IP GTM...49
Defining a server for a route domain on BIG-IP GTM...49
Implementation results...50
Chapter 9: Securing Your DNS Infrastructure...51
Overview: Securing your DNS infrastructure...52
How do I prepare for a manual rollover of a DNSSEC key?...52
Task summary...52
Creating DNSSEC key-signing keys...53
Creating DNSSEC zone-signing keys...53
Creating DNSSEC zones...54
Validating that a zone is correctly signed ...55
Specifying which GTM creates new generations of DNSSEC keys...55
Implementation results...55
Chapter 10: Configuring DNS Express on BIG-IP Systems...57
Overview: How do I configure a BIG-IP system to mitigate DDoS attacks?...58
What is DNS Express?...58
Task summary...58
Creating a DNS Express TSIG key...58
Creating a DNS Express zone...58
Configuring the legacy DNS server to allow zone file transfers...59
Creating a DNS Express profile ...59
Assigning a DNS Express profile to a virtual server...60
Assigning a DNS Express profile to a listener...60
Viewing information about DNS Express zones...60
Implementation results...61
Chapter 11: Configuring IP Anycast (Route Health Injection)...63
Overview: Configuring IP Anycast (Route Health Injection)...64
Task summary...64
Enabling the ZebOS dynamic routing protocol...64
Creating a custom DNS profile...64
Configuring a listener for route advertisement...65
Verifying advertisement of the route to a listener...66
Implementation results...66
Chapter 12: Configuring BIG-IP GTM VIPRION Systems...67
Overview: Configuring BIG-IP GTM VIPRION systems...68
Configuring dependency for virtual server status...68
Chapter 13:
Ensuring Correct Synchronization When Adding GTM to a Network...69
Overview: Ensuring correct synchronization when adding GTM to a network...70
What is configuration synchronization?...70
About NTP Servers and Synchronization...70
About adding an additional BIG-IP GTM to your network...70
Task summary...71
5 Table of Contents
Defining an NTP server on the existing GTM...71
Enabling synchronization on the existing GTM...71
Creating a data center on the existing GTM...71
Defining a server ...72
Running the gtm_add script on the new GTM...73
Implementation results...73
Chapter 14: Integrating BIG-IP GTM with Other BIG-IP Systems...75
Overview: Integrating GTM with older BIG-IP systems on my network...76
About the iQuery protocol and the big3d agent...76
Task summary...76
Defining a data center...77
Defining BIG-IP GTM...77
Defining the existing BIG-IP systems...78
Running the big3d_install script...79
Implementation results...79
Chapter 15: Setting Up a BIG-IP GTM Redundant System Configuration...81
Overview: Configuring a BIG-IP GTM redundant system...82
Task summary...82
Defining an NTP server...82
Creating listeners to identify DNS traffic...82
Defining a data center...83
Defining a server ...83
Enabling global traffic configuration synchronization...84
Running the gtm_add script ...85
Chapter 16:
Authenticating with SSL Certificates Signed by a Third Party...87
Overview: Authenticating with SSL certificates signed by a third party...88
SSL Authentication...88
Configuring Level 1 SSL authentication...88
Importing the device certificate...88
Importing the root certificate for the gtmd agent...89
Importing the root certificate for the big3d agent...89
Verifying the certificate exchange...89
Implementation Results...90
Configuring certificate chain SSL authentication...90
Creating a certificate chain file ...90
Importing the device certificate from the last CA server in the chain...90
Importing a certificate chain file for the gtmd agent...91
Importing a certificate chain for the big3d agent...91
Verifying the certificate chain exchange...91
Implementation results...92
Chapter 17: Monitoring Third-Party Servers with SNMP...93
Overview: SNMP monitoring of third-party servers...94
Task summary...94
Creating an SNMP monitor...94
Defining a third-party host server that is running SNMP...94
Implementation results...95
Chapter 18:
Configuring Device-Specific Probing and Statistics Collection...97
Overview: Configuring device-specific probing and statistics collection...98
About Prober pools...98
About Prober pool status...99
About Prober pool statistics...99
Task summary...100
Creating a Prober pool...100
Assigning a Prober pool to a data center...100
Assigning a Prober pool to a server...101
Viewing Prober pool statistics and status...101
Which Prober pool member marked my resource down?...101
Implementation results...102
Chapter 19: Diagnosing Network Connection Issues...103
Diagnosing network connection issues...104
Viewing information about connections between BIG-IP GTM and other BIG-IP systems ...104
iQuery statistics descriptions...104
7 Table of Contents
Legal Notices
Publication Date
This document was published on August 17, 2011. Publication Number
MAN-0356-00 Copyright
Copyright © 2011, F5 Networks, Inc. All rights reserved.
F5 Networks, Inc. (F5) believes the information it furnishes to be accurate and reliable. However, F5 assumes no responsibility for the use of this information, nor any infringement of patents or other rights of third parties which may result from its use. No license is granted by implication or otherwise under any patent, copyright, or other intellectual property right of F5 except as specifically described by applicable user licenses. F5 reserves the right to change specifications at any time without notice.
Trademarks
3DNS, Access Policy Manager, Acopia, Acopia Networks, Advanced Client Authentication, Advanced Routing, APM, Application Security Manager, ARX, AskF5, ASM, BIG-IP, Cloud Extender, CloudFucious, CMP, Data Manager, DevCentral, DevCentral [DESIGN], DNS Express, DSC, DSI, Edge Client, Edge Gateway, Edge Portal, EM, Enterprise Manager, F5, F5 [DESIGN], F5 Management Pack, F5 Networks, F5 World, Fast Application Proxy, Fast Cache, FirePass, Global Traffic Manager, GTM, IBR, Intelligent Browser Referencing, Intelligent Compression, IPv6 Gateway, iApps, iControl, iHealth, iQuery, iRules, iRules OnDemand, iSession, IT agility. Your way., L7 Rate Shaping, LC, Link Controller, Local Traffic Manager, LTM, Message Security Module, MSM, Netcelera, OneConnect, Packet Velocity, Protocol Security Module, PSM, Real Traffic Policy Builder, ScaleN, SSL Acceleration, StrongBox, SuperVIP, SYN Check, TCP Express, TDR, TMOS, Traffic Management Operating System, TrafficShield, Transparent Data Reduction, VIPRION, vCMP, WA, WAN Optimization Manager, WANJet, WebAccelerator, WOM, and ZoneRunner, are trademarks or service marks of F5 Networks, Inc., in the U.S. and other countries, and may not be used without F5's express written consent.
All other product and company names herein may be trademarks of their respective owners. Patents
This product may be protected by U.S. Patents 6,374,300; 6,473,802; 6,970,733; 7,047,301; 7,707,289. This list is believed to be current as of August 17, 2011.
Export Regulation Notice
This product may include cryptographic software. Under the Export Administration Act, the United States government may consider it a criminal offense to export this product from the United States.
RF Interference Warning
This is a Class A product. In a domestic environment this product may cause radio interference, in which case the user may be required to take adequate measures.
FCC Compliance
This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of FCC rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This unit generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference, in which case the user, at his own expense, will be required to take whatever measures may be required to correct the interference.
Any modifications to this device, unless expressly approved by the manufacturer, can void the user's authority to operate this equipment under part 15 of the FCC rules.
Canadian Regulatory Compliance
This Class A digital apparatus complies with Canadian ICES-003. Standards Compliance
This product conforms to the IEC, European Union, ANSI/UL and Canadian CSA standards applicable to Information Technology products at the time of manufacture.
Acknowledgments
This product includes software developed by Gabriel Forté. This product includes software developed by Bill Paul. This product includes software developed by Jonathan Stone. This product includes software developed by Manuel Bouyer. This product includes software developed by Paul Richards.
This product includes software developed by the NetBSD Foundation, Inc. and its contributors. This product includes software developed by the Politecnico di Torino, and its contributors.
This product includes software developed by the Swedish Institute of Computer Science and its contributors. This product includes software developed by the University of California, Berkeley and its contributors. This product includes software developed by the Computer Systems Engineering Group at the Lawrence Berkeley Laboratory.
This product includes software developed by Christopher G. Demetriou for the NetBSD Project. This product includes software developed by Adam Glass.
This product includes software developed by Christian E. Hopps. This product includes software developed by Dean Huxley. This product includes software developed by John Kohl. This product includes software developed by Paul Kranenburg. This product includes software developed by Terrence R. Lambert. This product includes software developed by Philip A. Nelson. This product includes software developed by Herb Peyerl.
This product includes software developed by Jochen Pohl for the NetBSD Project. This product includes software developed by Chris Provenzano.
This product includes software developed by Theo de Raadt. This product includes software developed by David Muir Sharnoff. This product includes software developed by SigmaSoft, Th. Lockert.
This product includes software developed for the NetBSD Project by Jason R. Thorpe.
This product includes software developed by Jason R. Thorpe for And Communications, http://www.and.com. This product includes software developed for the NetBSD Project by Frank Van der Linden.
This product includes software developed for the NetBSD Project by John M. Vinopal. This product includes software developed by Christos Zoulas.
This product includes software developed by the University of Vermont and State Agricultural College and Garrett A. Wollman.
This product includes software developed by Balazs Scheidler ([email protected]), which is protected under the GNU Public License.
This product includes software developed by Niels Mueller ([email protected]), which is protected under the GNU Public License.
In the following statement, This software refers to the Mitsumi CD-ROM driver: This software was developed by Holger Veit and Brian Moore for use with 386BSD and similar operating systems. Similar operating systems includes mainly non-profit oriented systems for research and education, including but not restricted to NetBSD, FreeBSD, Mach (by CMU).
This product includes software developed by the Apache Group for use in the Apache HTTP server project (http://www.apache.org/).
This product includes software licensed from Richard H. Porter under the GNU Library General Public License (© 1998, Red Hat Software), www.gnu.org/copyleft/lgpl.html.
This product includes the standard version of Perl software licensed under the Perl Artistic License (© 1997, 1998 Tom Christiansen and Nathan Torkington). All rights reserved. You may find the most current standard version of Perl at http://www.perl.com.
This product includes software developed by Jared Minch.
This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
This product includes cryptographic software written by Eric Young ([email protected]).
This product contains software based on oprofile, which is protected under the GNU Public License. This product includes RRDtool software developed by Tobi Oetiker (http://www.rrdtool.com/index.html) and licensed under the GNU General Public License.
This product contains software licensed from Dr. Brian Gladman under the GNU General Public License (GPL).
This product includes software developed by the Apache Software Foundation (http://www.apache.org/). This product includes Hypersonic SQL.
This product contains software developed by the Regents of the University of California, Sun Microsystems, Inc., Scriptics Corporation, and others.
This product includes software developed by the Internet Software Consortium.
This product includes software developed by Nominum, Inc. (http://www.nominum.com).
This product contains software developed by Broadcom Corporation, which is protected under the GNU Public License.
This product contains software developed by MaxMind LLC, and is protected under the GNU Lesser General Public License, as published by the Free Software Foundation.
This product includes the GeoPoint Database developed by Quova, Inc. and its contributors. Acknowledgments
Chapter
1
Upgrading BIG-IP GTM to Version 11
Topics:• Converting a statistics collection server to a Prober pool automatically
Converting a statistics collection server to a Prober pool automatically
In version 10.2 of BIG-IP®
Global Traffic Manager™
(GTM™
), you could assign a single BIG-IP®
system to probe a server to gather health and performance data. You did this by specifying the IP address of the BIG-IP system (which you chose to perform probes of the server) in the Statistics Collection Server field of the server. In version 11.0, this feature is replaced by the Prober pool feature.
When you upgrade from version 10.2.x to version 11.0, if a single BIG-IP system was assigned to probe a server, BIG-IP GTM converts the single server to a Prober pool with one member, and then assigns the Prober pool to the server to which the Statistics Collection server was originally assigned. The name of the new Prober pool is based on the IP address of the original Statistics Collection server. If the original Statistics Collection server had an IP address of 10.10.2.3, the name of the automatically created Prober pool is
prober_pool_10_10_2_3. Upgrading BIG-IP GTM to Version 11
Chapter
2
Delegating DNS Traffic to Wide IPs
Topics:• Overview: Delegating DNS traffic to wide IPs
• Task summary
Overview: Delegating DNS traffic to wide IPs
BIG-IP®
Global Traffic Manager™
(GTM™
) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can work in conjunction with an existing DNS server on your network. In this situation, you configure the DNS server to delegate wide IP-related requests to the BIG-IP GTM for name resolution.
Figure 1: Traffic flow when DNS server delegates traffic to BIG-IP GTM
This implementation focuses on the fictional company SiteRequest, which recently purchased BIG-IP GTM to help load balance traffic across two of its web-based applications: store.siterequest.com and
checkout.siterequest.com. These applications are delegated zones of www.siterequest.com, which an existing DNS server manages. They have already configured BIG-IP GTM with two wide IPs,
store.wip.siterequest.com and checkout.wip.siterequest.com, which correspond to these two web applications.
About listeners
Listeners control how BIG-IP®
GTM™
handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of
0.0.0.0 and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource.
Task summary
Perform these tasks to delegate DNS traffic to wide IPs.
Creating a delegated zone on a local DNS server
Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone
Creating a listener to handle traffic for wide IPs
Creating a delegated zone on a local DNS server
If you are unfamiliar with how to modify the files on DNS servers, review the fifth edition of DNS and BIND, available from O’Reilly Media.
Determine which DNS servers will delegate wide IP-related requests to BIG-IP®GTM™. In order for BIG-IP GTM to manage the web applications of store.siterequest.com and
checkout.siterequest.com, you must create a delegated zone on the existing DNS server. Perform the following steps on the selected DNS servers.
1. Create an address record (A record) that defines the domain name and IP address of BIG-IP GTM. 2. Create a nameserver record (NS record) that defines the delegated zone for which BIG-IP GTM is
responsible.
3. Create canonical name records (CNAME records) for each web application, which forwards requests to store.siterequest.com and checkout.siterequest.com to the wide IP addresses of
store.wip.siterequest.com and checkout.wip.siterequest.com, respectively. A delegated zone exists on each DNS server on which you performed this procedure.
Creating a self IP address using the IP address of the legacy DNS server
Create a self IP address on BIG-IP®GTM™ using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs.2. Click Create.
The New Self IP screen opens.
3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished.
17 BIG-IP® Global Traffic Manager™: Implementations
The screen refreshes, and displays the new self IP address in the list.
Designating GTM as the primary server for the zone
Ensure that you have created a self IP address on BIG-IP®GTM™ using the IP address of the legacy DNS server.
Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration.
1. Log on to BIG-IP GTM.
2. On the Main tab, click Global Traffic > Servers. The Server List screen opens.
3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display.
4. In the Address List area, add the new self IP address. 5. Click Update.
6. Do one of the following based on your network configuration:
• Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object.
Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary,
refer to the fifth edition of DNS and BIND, available from O’Reilly Media. • Remove the legacy DNS server from your network.
BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM.
Creating a listener to handle traffic for wide IPs
You need to create a listener that corresponds to a delegated zone that you create on your existing DNS server. This listener will identify DNS traffic that is destined for BIG-IP®GTM™.
1. On the Main tab, click Global Traffic > Listeners . The Listeners List screen opens.
2. Click Create.
The new Listeners screen opens.
3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is a self IP address on BIG-IP GTM.
4. From the VLAN Traffic list, select All VLANs. 5. From the Protocol list, select either UDP or TCP. 6. Click Finished.
Implementation results
You now have an implementation of BIG-IP®
GTM™
in which a DNS server manages DNS traffic unless a query is for a wide IP configured on BIG-IP GTM. When the DNS server receives queries for
store.siterequest.com or checkout.siterequest.com, it delegates the queries to BIG-IP GTM, which then load balances the traffic to the appropriate wide IPs.
19 BIG-IP® Global Traffic Manager™: Implementations
Chapter
3
Replacing a DNS Server with BIG-IP GTM
Topics:• Overview: Replacing a DNS server with BIG-IP GTM
• Task summary
Overview: Replacing a DNS server with BIG-IP GTM
BIG-IP®
Global Traffic Manager™
(GTM™
) load balances incoming wide IP traffic to your network resources. BIG-IP GTM can also replace a local DNS server as the authoritative nameserver for wide IPs, zones, and all other DNS-related traffic. You can configure BIG-IP GTM to replace the DNS server that currently manages www.siterequest.com. BIG-IP GTM becomes the authoritative nameserver for
www.siterequest.com and load balances traffic across the web-based applications
store.siterequest.com and checkout.siterequest.com.
Figure 2: Traffic flow when BIG-IP GTM replaces DNS server
About listeners
Listeners control how BIG-IP®GTM™ handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of
0.0.0.0 and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource.
Task summary
Perform these tasks to replace a DNS server with BIG-IP GTM.
Configuring the legacy DNS server to allow zone file transfers Acquiring zone files from the legacy DNS server
Creating a self IP address using the IP address of the legacy DNS server Designating GTM as the primary server for the zone
Creating listeners to identify DNS traffic
Configuring the legacy DNS server to allow zone file transfers
If you are unfamiliar with how to modify DNS server files, review the fifth edition of DNS and BIND, available from O’Reilly Media.
To configure the legacy DNS server to allow zone file transfers to BIG-IP®GTM™, add to the DNS server an allow-transfer statement that specifies the IP address of the new BIG-IP GTM system.
You can modify the following allow-transfer statement to use the IP address of your BIG-IP GTM:
allow-transfer { localhost; <IP address of BIG-IP GTM>; };
Acquiring zone files from the legacy DNS server
Ensure that you have configured the legacy DNS server with an allow-transfer statement that authorizes zone transfers to BIG-IP®GTM™.
For BIG-IP GTM to acquire zone files from the legacy DNS server, create a new zone. 1. On the Main tab, click Global Traffic > ZoneRunner > Zone List.
The Zone List screen opens. 2. Click Create.
3. From the View Name list, select the view that you want this zone to be a member of. The default view is external.
4. In the Zone Name field, type a name for the zone file in this format, including the trailing dot:
db.[viewname].[zonename].
For example, db.external.siterequest.com.
5. From the Zone Type list, select Master.
6. From the Records Creation Method list, select Transfer from Server.
7. In the Source Server field, type the IP address of the DNS server (the server from which you want BIG-IP GTM to acquire zone files).
8. Click Finished.
23 BIG-IP® Global Traffic Manager™: Implementations
Creating a self IP address using the IP address of the legacy DNS server
Create a self IP address on BIG-IP®GTM™ using the IP address of the legacy DNS server. 1. On the Main tab, click Network > Self IPs.2. Click Create.
The New Self IP screen opens.
3. In the IP Address field, type the IP address of the legacy DNS server. The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. Click Finished.
The screen refreshes, and displays the new self IP address in the list.
Designating GTM as the primary server for the zone
Ensure that you have created a self IP address on BIG-IP®GTM™ using the IP address of the legacy DNS server.
Add the new self IP address to the BIG-IP GTM server object. Then modify the DNS server based on your network configuration.
1. Log on to BIG-IP GTM.
2. On the Main tab, click Global Traffic > Servers. The Server List screen opens.
3. Click the name of the BIG-IP GTM system that you want to modify. The server settings and values display.
4. In the Address List area, add the new self IP address. 5. Click Update.
6. Do one of the following based on your network configuration:
• Modify the IP address of the legacy DNS server so that it becomes a secondary DNS server to BIG-IP GTM. Ensure that the IP address of the DNS server does not conflict with the self IP address that you added to the BIG-IP GTM server object.
Note: If you are unfamiliar with how to change a DNS server from a primary to a secondary,
refer to the fifth edition of DNS and BIND, available from O’Reilly Media. • Remove the legacy DNS server from your network.
BIG-IP GTM is now the authoritative name server for the zone. The root servers for the zone do not need to be updated, because the IP address of the legacy DNS server was added to BIG-IP GTM.
Creating listeners to identify DNS traffic
Create two listeners to identify the DNS traffic, which was previously handled by the DNS server, for which BIG-IP®GTM™ is now responsible. Create one listener that uses the UDP protocol and one that uses the TCP protocol.
Note: DNS zone transfers use TCP port 53. If you do not configure a listener for TCP the client may receive the error: connection refused or TCP RSTs.
1. On the Main tab, click Global Traffic > Listeners . The Listeners List screen opens.
2. Click Create.
The new Listeners screen opens.
3. In the Destination field, type the IP address previously used by the legacy DNS server. 4. From the VLAN Traffic list, select All VLANs.
5. From the Protocol list, select UDP. 6. Click Finished.
Create another listener with the same IP address, but select TCP from the Protocol list.
Implementation results
BIG-IP®GTM™ replaces the legacy DNS server as the authoritative nameserver for the zone. BIG-IP GTM handles all incoming DNS traffic, whether destined for a wide IP or handled by the BIND instance on the system.
25 BIG-IP® Global Traffic Manager™: Implementations
Chapter
4
Sending Traffic Through BIG-IP GTM
Topics:• Overview: Configuring GTM to pass traffic to an existing DNS server
• Task summary
Overview: Configuring GTM to pass traffic to an existing DNS server
You can use BIG-IP®
Global Traffic Manager™
(GTM™
) as a router or forwarder in front of an existing DNS server. With this setup, all DNS traffic flows through BIG-IP GTM. Listeners that you configure on BIG-IP GTM verify incoming DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for a destination that does not match a wide IP or for an IP address that is not configured on BIG-IP GTM, the system routes or forwards the query to the specified DNS server for resolution. When forwarding a query, BIG-IP GTM transforms the source address to a self IP address on BIG-IP GTM. This ensures that BIG-IP GTM returns responses through the system before forwarding the response to the client.
Figure 3: Traffic flow through the BIG-IP GTM routing or forwarding traffic to DNS server Sending Traffic Through BIG-IP GTM
About listeners
Listeners control how BIG-IP®
GTM™
handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of
0.0.0.0 and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource.
About Router mode
When BIG-IP®GTM™
is in Router mode, a listener alerts the system when it receives requests destined for a DNS server on a different subnet. BIG-IP GTM routes these requests to the specified DNS server.
About Bridge mode
When BIG-IP®GTM™
is in Bridge mode, a listener alerts the system when it receives requests destined for a DNS server on the same network segment. The BIG-IP GTM forwards these requests to the specified DNS server.
Task summary
Perform these tasks to send traffic through BIG-IP®GTM™.
Placing GTM on your network to forward traffic
Creating a listener to forward traffic to a DNS server on a different network segment Creating a listener to forward traffic to a DNS server on the same network segment
Placing GTM on your network to forward traffic
You need to determine to which DNS server you want this BIG-IP®GTM™ system to forward traffic. Now you want to place BIG-IP GTM between the existing DNS server and the Internet.
1. Physically connect BIG-IP GTM to your Internet connection. 2. Connect the DNS server to an Ethernet port on BIG-IP GTM.
Creating a listener to forward traffic to a DNS server on a different network segment
You need to determine to which DNS server you want this listener to forward traffic.1. On the Main tab, click Global Traffic > Listeners . The Listeners List screen opens.
2. Click Create.
The new Listeners screen opens.
3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to route traffic.
29 BIG-IP® Global Traffic Manager™: Implementations
Important: The destination must not match a self IP address on BIG-IP GTM.
4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.
Creating a listener to forward traffic to a DNS server on the same network segment
You need to determine to which DNS server you want this listener to forward traffic.1. On the Main tab, click Global Traffic > Listeners . The Listeners List screen opens.
2. Click Create.
The new Listeners screen opens.
3. In the Destination field, type the IP address on which BIG-IP GTM listens for network traffic. The destination is the IP address of a DNS server to which you want the listener to forward traffic.
Important: The destination must not match a self IP address on BIG-IP GTM.
4. From the VLAN Traffic list, select All VLANs. 5. Click Finished.
Implementation results
You now have an implementation in which BIG-IP®GTM™ receives all DNS queries. If the query is for a wide IP, BIG-IP GTM load balances the request to the appropriate resource. If the query is for an IP address of a DNS server, BIG-IP GTM either routes or forwards the query to the DNS server for resolution. Sending Traffic Through BIG-IP GTM
Chapter
5
Load Balancing Non-Wide IP DNS Traffic to a Pool of DNS
Servers
Topics:
• Overview: Load balancing non-wide IP traffic to a pool of DNS servers
• Task summary
Overview: Load balancing non-wide IP traffic to a pool of DNS servers
BIG-IP®
Global Traffic Manager™
(GTM™
) can function as a load balancer in front of a pool of DNS servers. In this situation, BIG-IP GTM checks incoming DNS queries and if the query is for a wide IP, load balances it to the appropriate resource. Otherwise, BIG-IP GTM forwards the DNS query to one of the servers in a pool of DNS servers, and that server handles the query.
About listeners
Listeners control how BIG-IP®
GTM™
handles network traffic. A listener is a specialized virtual server that is assigned a specific IP address. A wildcard listener is a special listener that is assigned an IP address of
0.0.0.0 and DNS query port (port 53). When traffic is sent to the IP address of a listener, BIG-IP GTM either handles the traffic locally or sends the traffic to the appropriate resource.
Task summary
Perform these tasks to load balance non-wide IP traffic to a pool of DNS servers.
Creating a pool of local DNS servers
Creating a listener that alerts GTM to DNS queries for a pool of DNS servers
Creating a pool of local DNS servers
Gather the IP addresses of the DNS servers that you want to include in a pool to which BIG-IP®GTM™ load balances DNS traffic.
1. Log on to the command line interface of BIG-IP GTM. 2. Type tmsh, to access the Traffic Management Shell.
3. Run a variation on this command sequence to create a pool using the IP addresses of the DNS servers on your network: create /ltm pool DNS_pool members add { 10.10.1.1:domain 10.10.1.2:domain 10.10.1.3:domain } monitor udp
When you run the above example command, the system creates a BIG-IP LTM pool named DNS_pool that includes three DNS servers with the following IP addresses 10.10.1.1, 10.10.1.2, and 10.10.1.3. A UDP monitor is assigned to the pool to determine the availability of the pool members.
4. Run this command sequence to save the pool: save /sys config
5. Run this command sequence to display the pool: list /ltm pool
6. Verify that the pool is configured correctly.
Creating a listener that alerts GTM to DNS queries for a pool of DNS servers
Configure a listener that alerts BIG-IP®GTM™ to DNS queries destined for DNS servers that are members of a pool.
2. Type tmsh, to access the Traffic Management Shell.
3. Run this command sequence to create a listener: create /gtm listener DNS_listener address 192.168.5.10 ip-protocol udp pool DNS_pool translate-address enabled
When you run the above example command, the system creates a listener named DNS_pool with an IP address of 192.168.5.10 that alerts BIG-IP GTM to queries destined for the members of DNS_pool. 4. Run this command sequence to save the listener: save /sys config
5. Run this command sequence to display the listener: list /gtm listener
The system displays the new listener configuration.
Implementation results
You now have an implementation in which BIG-IP®
GTM™
receives DNS queries, load balances wide IP requests to the appropriate resource, and load balances all other DNS queries to the members of the pool of DNS servers.
33 BIG-IP® Global Traffic Manager™: Implementations
Chapter
6
Load Balancing DNS Traffic Between IPv-6 Only and IPv-4
Only Clouds
Topics:
• Overview: Load balancing IPv6-only connection requests to IPv4-only servers
• Task summary
Overview: Load balancing IPv6-only connection requests to IPv4-only servers
You can configure the BIG-IP®
Local Traffic Manager™
(LTM) and BIG-IP®
Global Traffic Manager™
(GTM) system to load balance IPv6-only client connection requests to IPv4-only servers on your network by returning an AAAA record response to the client.
Task summary
Perform these tasks to configure load balancing of IPv6-only connection requests to IPv4-only servers on your network.
Creating a custom DNS profile
Assigning a DNS profile to a virtual server
Creating a custom DNS profile
You can create a custom DNS profile to configure how the BIG-IP® system handles DNS connection requests.
1. On the Main tab, click Local Traffic > Profiles > Services > DNS. The DNS profile list screen opens.
2. Click Create.
The New Fast L4 Profile screen opens. 3. In the Name field, type a name for the profile.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. 4. In the Parent Profile list, accept the default dns profile.
5. Select the Custom check box.
The fields in the Settings area become available for configuring.
6. In the Global Traffic Management list, accept the default value Enabled.
7. From the DNS IPv6 to IPv4 list, select how you want the system to handle IPv6 to IPv4 address mapping in DNS queries and responses.
Description Option
The BIG-IP system does not map IPv4 addresses to IPv6 addresses. Disabled
The BIG-IP system forwards the first good response from the DNS server to the client. If the system receives an A response first, it appends a 96-bit prefix to the Immediate
record and forwards it to the client. If the system receives an AAAA response first, it simply forwards the response to the client. The system disregards the second response from the DNS server.
The BIG-IP system sends an AAAA query to the DNS server. Only if the response fails, does the BIG-IP system send an A query. If the BIG-IP system receives an A Secondary
response, it appends a 96-bit user-configured prefix to the record and forwards it to the client.
Description Option
The BIG-IP system receives an AAAA query and translates it into an A query and forwards the query to a DNS server. After receiving the response, the system appends a 96-bit user-configured prefix to the record and forwards it to the IPv6 client. v4 Only
Important: Select this option only if you know that no DNS AAAA queries will
be sent to the BIG-IP system.
If you selected Immediate, Secondary, or V4 Only two new fields display.
8. In the IPv6 to IPv4 Prefix field, specify the prefix the BIG-IP system appends to all A query responses to an IPv6 request.
9. From the IPv6 to IPv4 Additional Section Rewrite list, select an option to allow improved network efficiency for both Unicast and Multicast DNS-SD responses.
Description Option
The BIG-IP system does not perform additional rewrite. Disabled
The BIG-IP system accepts only A records. The system appends the 96-bit user-configured prefix to a record and returns an IPv6 response to the client. v4 Only
The BIG-IP system accepts only AAAA records and returns those records to the client.
v6 Only
The BIG-IP system accepts and returns both A and AAAA records. If the DNS server returns an A record in the Additional section of a DNS message, the BIG-IP Any
system appends the 96-bit user-configured prefix to the record and returns an IPv6 response to the client.
10. From the Use BIND Server on BIG-IP list, select Enabled.
Note: Enable this setting only when you want the system to forward non-wide IP queries to the
local BIND server on BIG-IP GTM. 11. Click Finished.
Assigning a DNS profile to a virtual server
1. On the Main tab, click Local Traffic > Virtual Servers.
The Virtual Server List screen displays a list of existing virtual servers. 2. Click the name of the virtual server you want to modify.
3. From the DNS Profile list, select the profile you created to manage IPv6 to IPv4 address mapping. 4. Click Update.
This virtual server can now pass traffic between an IPv6-only client and an IPv4-only DNS server.
37 BIG-IP® Global Traffic Manager™: Implementations
Implementation results
You now have an implementation in which the BIG-IP®
system handles connection requests from an IPv6-only client to an IPv4-only server.
Chapter
7
Configuring GTM on a Network with One Route Domain
Topics:• Overview: How do I deploy BIG-IP GTM on a network with one route domain?
• Task summary
Overview: How do I deploy BIG-IP GTM on a network with one route domain?
You can deploy BIG-IP®
Global Traffic Manager™
(GTM™
) on a network where BIG-IP Local Traffic Manager™
(LTM®
) is configured with one route domain and no overlapping IP addresses.
Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP
GTM.
Figure 4: BIG-IP GTM deployed on a network in front of a BIG-IP LTM configured with a route domain
Task summary
BIG-IP®GTM™ can gather status and statistics for the virtual servers hosted on BIG-IP Local Traffic Manager™ (LTM) systems on your network that are configured on a route domain. The BIG-IP LTM systems must contain:
• A self IP address that represents the address space of the route domain.
Additionally, BIG-IP GTM must contain a server object for each route domain. The server objects must be configured with a self IP address that represents the address space of the route domain.
Perform the specified tasks to configure BIG-IP LTM systems with a route domain, and then to configure BIG-IP GTM to be able to monitor these systems.
Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM
Creating a self IP address for a route domain on BIG-IP LTM Defining a server for a route domain on BIG-IP GTM
Creating VLANs for a route domain on BIG-IP LTM
You need to create two VLANs on BIG-IP®Local Traffic Manager™(LTM®) through which traffic can pass to a route domain.
1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
2. Click Create.
The New VLAN screen opens. 3. In the Name field, type external.
4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
The VLAN tag identifies the traffic from hosts in the associated VLAN.
5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary.
6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated.
7. Click Finished.
The screen refreshes, and displays the new VLAN in the list. Repeat this procedure, but in Step 3, name the VLAN internal.
Creating a route domain on BIG-IP LTM
Ensure that an external and internal VLAN exist on BIG-IP®LTM®, before you create a route domain. You can create a route domain on BIG-IP LTM to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains.
2. Click Create.
The New Route Domain screen opens. 3. Type an ID number for the route domain.
This is the ID number that you will append later to any relevant IP addresses that you create on the BIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses.
4. In the Description field, type a description of the route domain. This route domain applies to traffic for application MyApp.
5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain from crossing into another route domain.
41 BIG-IP® Global Traffic Manager™: Implementations
6. From the Parent Name list, retain the default value.
7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list.
8. Click Finished.
The system displays a list of route domains on the BIG-IP system.
Creating a self IP address for a route domain on BIG-IP LTM
Ensure that external and internal VLANs exist on BIG-IP® LTM, before you begin creating a self IP address for a route domain.
Create a self IP address on BIG-IP LTM that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs.
2. Click Create.
The New Self IP screen opens.
3. In the IP Address field, type an IP address.
This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where
n is the route domain ID, for example, 10.1.1.1%1.
The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address. 5. From the VLAN/Tunnel list, select external.
6. From the Port Lockdown list, select Allow Default. 7. Click Finished.
The screen refreshes, and displays the new self IP address in the list. Repeat this procedure, but in Step 5, select VLAN internal.
Defining a server for a route domain on BIG-IP GTM
On a BIG-IP GTM system, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers.
The Server List screen opens. 2. Click Create.
The New Server screen displays.
3. In the Name field, type a name for the server.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
Important: Server names are limited to 63 characters.
4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server.
5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain.
Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for
example, 10.10.10.1.
6. From the Data Center list, select the data center where the server resides.
7. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list.
8. From the Virtual Server Discovery list, select how you want virtual servers to be added to the system. Virtual server discovery is supported when you have only one route domain.
Description Options
Use this option when you plan to manually add virtual servers to the system.
Disabled
The system automatically adds virtual servers using the discovery feature.
Enabled
The system uses the discovery feature and does not delete any virtual servers that already exist.
Enabled (No Delete)
9. Click Create.
The Server List screen opens displaying the new server in the list.
Implementation results
You now have an implementation in which BIG-IP®
GTM™
can monitor virtual servers on BIG-IP LTM®
systems configured with one route domain.
43 BIG-IP® Global Traffic Manager™: Implementations
Chapter
8
Configuring GTM on a Network with Multiple Route Domains
Topics:• Overview: How do I deploy BIG-IP GTM on a network with multiple route domains?
• Task summary
Overview: How do I deploy BIG-IP GTM on a network with multiple route
domains?
You can deploy BIG-IP®Global Traffic Manager™ (GTM) on a network where BIG-IP Local Traffic Manager™ (LTM) systems are configured with multiple route domains and overlapping IP addresses.
Important: On a network with route domains, you must ensure that virtual server discovery (autoconf)
is disabled, because virtual server discovery does not discover translation IP addresses.
Caution: F5 Networks does not support the configuration of route domains on a standalone BIG-IP
GTM.
The following figure shows BIG-IP GTM deployed in a network with multiple BIG-IP Local Traffic Manager™
(LTM)®
systems configured with the default route domain (zero), and two additional route domains. BIG-IP GTM can monitor the Application1 and Application2 servers that have overlapping IP addresses and reside in different route domains. The firewalls perform the required address translation between the BIG-IP GTM and BIG-IP LTM addresses; you must configure the firewalls to segment traffic and avoid improperly routing packets between route domain 1 and route domain 2.
Figure 5: BIG-IP GTM deployed on a network with multiple route domains
Task summary
Before BIG-IP®GTM™ can gather status and statistics for the virtual servers hosted on BIG-IP LTM® systems on your network that are configured with route domains, you must configure the following on each BIG-IP LTM that handles traffic for route domains:
• VLANs through which traffic for your route domains passes • Route domains that represent each network segment
47 BIG-IP® Global Traffic Manager™: Implementations
• Self IP addresses that represent the address spaces of the route domains Additionally, on BIG-IP GTM you must:
• Configure, for each route domain, a server object with virtual server discovery disabled • Disable virtual server discovery globally
Perform the following tasks to configure BIG-IP GTM to monitor BIG-IP LTM systems with route domains.
Creating VLANs for a route domain on BIG-IP LTM Creating a route domain on BIG-IP LTM
Creating a self IP address for a route domain on BIG-IP LTM Disabling auto-discovery at the global-level on BIG-IP GTM Defining a server for a route domain on BIG-IP GTM
Creating VLANs for a route domain on BIG-IP LTM
Create two VLANs on BIG-IP LTM through which traffic can pass to a route domain. 1. On the Main tab, click Network > VLANs.
The VLAN List screen opens. 2. Click Create.
The New VLAN screen opens. 3. In the Name field, type external.
4. In the Tag field, type a numeric tag, from 1 to 4094, for the VLAN. Leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
The VLAN tag identifies the traffic from hosts in the associated VLAN.
5. For the Interfaces setting, in the Available list, click an interface number or trunk name and add the selected interface or trunk to the Untagged list. Repeat this step as necessary.
6. Select the Source Check check box if you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated.
7. Click Finished.
The screen refreshes, and displays the new VLAN in the list.
Repeat this procedure, but in Step 3, name the second VLAN internal.
Creating a route domain on BIG-IP LTM
Ensure that VLANs exist on BIG-IP LTM, before you create a route domain.
You can create a route domain on a BIG-IP system to segment (isolate) network traffic on your network. 1. On the Main tab, click Network > Route Domains.
2. Click Create.
The New Route Domain screen opens. 3. Type an ID number for the route domain.
This is the ID number that you will append later to any relevant IP addresses that you create on the BIG-IP system, such as virtual addresses, pool member addresses, and self IP addresses.
4. In the Description field, type a description of the route domain. This route domain applies to traffic for application MyApp.
5. In the Strict Isolation area, select the Enabled check box to restrict traffic in this route domain from Configuring GTM on a Network with Multiple Route Domains
6. From the Parent Name list, retain the default value.
7. For the VLANs setting, move the external and internal VLANs from the Available list, to the Members list.
8. Click Finished.
The system displays a list of route domains on the BIG-IP system. Create additional route domains based on your network configuration.
Creating a self IP address for a route domain on BIG-IP LTM
Ensure that VLANs exist on BIG-IP LTM, before you begin creating a self IP address for a route domain. Create a self IP address on the BIG-IP system that resides in the address space of the route domain. 1. On the Main tab, click Network > Self IPs.
2. Click Create.
The New Self IP screen opens.
3. In the IP Address field, type an IP address.
This IP address must represent a self IP address in a route domain. Use the format x.x.x.x%n, where
n is the route domain ID, for example, 10.1.1.1%1.
The system accepts IP addresses in both the IPv4 and IPv6 formats. 4. In the Netmask field, type the network mask for the specified IP address.
5. From the VLAN/Tunnel list, select the VLAN that you assigned to the route domain that contains this self IP address.
6. From the Port Lockdown list, select Allow Default. 7. Click Finished.
The screen refreshes, and displays the new self IP address in the list. Create additional self IP addresses based on your network configuration.
Disabling auto-discovery at the global-level on BIG-IP GTM
On BIG-IP GTM, disable auto-discovery at the global-level.1. On the Main tab, click System > Configuration > Global Traffic > General. The general Configuration screen opens.
2. Clear the Auto-Discovery check box. 3. Click Update.
Defining a server for a route domain on BIG-IP GTM
On BIG-IP GTM, define a server that represents the route domain. 1. On the Main tab, click Global Traffic > Servers.
The Server List screen opens. 2. Click Create.
The New Server screen displays.
3. In the Name field, type a name for the server.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
49 BIG-IP® Global Traffic Manager™: Implementations
Important: Server names are limited to 63 characters.
4. From the Product list, select either BIG-IP System (Single) or BIG-IP System (Redundant). The server type determines the metrics that the system can collect from the server.
5. In the Address List area, add the self IP address that you assigned to the VLAN that you assigned to the route domain.
Important: Do not include the route domain ID in this IP address. Use the format x.x.x.x, for
example, 10.10.10.1.
6. From the Data Center list, select the data center where the server resides. 7. From the Prober Pool list, select one of the following.
Description Options
By default, a server inherits the Prober pool assigned to the data center in which the server resides.
Inherit from Data Center
Select the Prober pool that contains the BIG-IP systems that you want to perform monitor probes of this server.
Prober pool name
Note: The selected Prober pool must reside in the same route domain as the servers you want the
pool members to probe.
8. In the Health Monitors area, assign the bigip monitor to the server by moving it from the Available list to the Selected list.
9. From the Virtual Server Discovery list, select Disabled. 10. Click Create.
The New Server screen displays.
Implementation results
You now have an implementation in which BIG-IP GTM monitors BIG-IP LTM virtual servers on the various route domains in your network.
Chapter
9
Securing Your DNS Infrastructure
Topics:• Overview: Securing your DNS infrastructure
• Task summary
Overview: Securing your DNS infrastructure
You can use BIG-IP®
Global Traffic Manager™
(GTM™
) to ensure that all responses to DNS-related traffic comply with the DNSSEC security protocol. To configure DNSSEC compliance, you create DNSSEC key-signing and zone-signing keys and a DNSSEC zone. Then you assign at least one enabled key-signing key and one enabled zone-signing key to the zone.
Figure 6: Traffic flow when BIG-IP GTM is DNSSEC authoritative nameserver
How do I prepare for a manual rollover of a DNSSEC key?
When you create DNSSEC key-signing keys and DNSSEC zone-signing keys, it is important to create a disabled standby version of each key that has a similar name. To do so, associate both pairs of keys with the same zone. This prepares you to easily perform a manual rollover of the keys should an enabled key become compromised.
Task summary
Perform these tasks on BIG-IP®GTM™ to secure your DNS infrastructure.
Creating DNSSEC key-signing keys Creating DNSSEC zone-signing keys Creating DNSSEC zones
Validating that a zone is correctly signed
Specifying which GTM creates new generations of DNSSEC keys
Creating DNSSEC key-signing keys
Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
• The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
• The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
• The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain
Name System (DNS) Deployment Guide.
1. On the Main tab, click Global Traffic > DNSSEC Key List . 2. Click Create.
3. In the Name field, type a name for the key.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters.
4. In the Bit Width field, type 2048.
5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Key Signing Key.
7. From the State list, select Enabled.
8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
9. For the Rollover Period setting, in the Days field, type 340. 10. For the Expiration Period setting, in the Days field, type 365.
11. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
13. Click Finished.
14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.
Creating DNSSEC zone-signing keys
Determine the values you want to configure for the rollover period, expiration period, and TTL of the key, using the following criteria:
• The amount of time required to send the DS records for the zone to which this key is associated to the organization that manages the parent zone.
53 BIG-IP® Global Traffic Manager™: Implementations
• The value of the rollover period must be greater than half the value of the expiration period, as well as less than the value of the expiration period.
• The difference between the values of the rollover and expiration periods must be more than the value of the TTL.
Note: The values recommended in this procedure are based on the values in the NIST Secure Domain
Name System (DNS) Deployment Guide.
1. On the Main tab, click Global Traffic > DNSSEC Key List . 2. Click Create.
3. In the Name field, type a name for the key.
Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character. Zone names are limited to 63 characters.
4. In the Bit Width field, type 1024.
5. From the Use FIPS list, if your system has a FIPS hardware security module (HSM), select Enabled. 6. From the Type list, select Zone Signing Key.
7. From the State list, select Enabled.
8. In the TTL field, accept the default value of 86400 (the number of seconds in one day.)
This value specifies how long a client resolver can cache the key. This value must be less than the difference between the values of the rollover and expiration periods of the key; otherwise, a client can make a query and the system can send a valid key that the client cannot recognize.
9. For the Rollover Period setting, in the Days field, type 21. 10. For the Expiration Period setting, in the Days field, type 30.
11. For the Signature Validity Period setting, accept the default value of seven days. This value must be greater than the value of the signature publication period.
12. For the Signature Publication Period setting, accept the default value of four days and 16 hours. This value must be less than the value of the signature validity period.
13. Click Finished.
14. To create a standby key for emergency rollover purposes, repeat this procedure using a similar name, and select Disabled from the State list.
Creating DNSSEC zones
Before BIG-IP®GTM™ can sign zone requests, you must assign at least one enabled zone-signing and one enabled key-signing key to the zone.
1. On the Main tab, click Global Traffic > DNSSEC Zone List . 2. Click Create.
3. In the Name field, type a FQDN that is a subset of the domain name.
For example, use a zone name of example.com to handle DNSSEC requests for example.com, including *.example.com. Use a zone name of www.example.com to handle DNSSEC requests for www.example.com and *.www.example.com.
4. From the State list, select Enabled.
5. For the Zone Signing Key setting, assign at least one enabled zone-signing key to the zone. Securing Your DNS Infrastructure
